Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Port Mirroring and Analyzers

Understanding Port Mirroring Analyzers

Port mirroring can be used for traffic analysis on routers and switches that, unlike hubs, do not broadcast packets to every port on the destination device. Port mirroring sends copies of all packets or policy-based sample packets to local or remote analyzers where you can monitor and analyze the data.

In the context of port mirroring analyzers, we use the term switching device. The term indicates that the device (including routers) is performing a switching function.

You can use analyzers on a packet level to help you:

  • Monitor network traffic

  • Enforce network usage policies

  • Enforce file sharing policies

  • Identify the causes of problems

  • Identify stations or applications with heavy or abnormal bandwidth usage

You can configure port mirroring to mirror:

  • Bridged packets (Layer 2 packets)

  • Routed packets (Layer 3 packets)

Mirrored packets can be copied to either a local interface for local monitoring or a VLAN or bridge domain for remote monitoring.

The following packets can be copied:

  • Packets entering or exiting a port—You can mirror packets entering or exiting ports, in any combination, for up to 256 ports. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.

  • Packets entering or exiting a VLAN or bridge domain—You can mirror the packets entering or exiting a VLAN or bridge domain to either a local analyzer port or to an analyzer VLAN or bridge domain. You can configure multiple VLANs (up to 256 VLANs) or bridge domains as ingress inputs to an analyzer, including a VLAN range and private VLANs (PVLANs).

  • Policy-based sample packets—You can mirror a policy-based sample of packets that are entering a port, VLAN, or bridge domain. You configure a firewall filter with a policy to select the packets to be mirrored. You can send the sample to a port-mirroring instance or to an analyzer VLAN or bridge domain.

Analyzer Overview

You can configure an analyzer to define both the input traffic and the output traffic in the same analyzer configuration. The input traffic to be analyzed can be either traffic that enters or traffic that exits an interface or VLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, next-hop group, VLAN, or bridge domain. You can configure an analyzer at the [edit forwarding-options analyzer] hierarchy level.

Statistical Analyzer Overview

You can define a set of mirroring properties, such as mirroring rate and maximum packet length for traffic, that you can explicitly bind to physical ports on the router or switch. This set of mirroring properties constitutes a statistical analyzer (also called a non-default analyzer). At this level, you can bind a named instance to the physical ports associated with a specific FPC.

Default Analyzer Overview

You can configure an analyzer without configuring any mirroring properties (such as mirroring rate or maximum packet length). By default, the mirroring rate is set to 1 and the maximum packet length is set to the complete length of the packet. These properties are applied at the global level and need not be bound to a specific FPC.

Port Mirroring at a Group of Ports Bound to Multiple Statistical Analyzers

You can apply up to two statistical analyzers to the same port groups on the switching device. By applying two different statistical analyzer instances to the same FPC or Packet Forwarding Engine, you can bind two distinct Layer 2 mirroring specifications to a single port group. Mirroring properties that are bound to an FPC override any analyzer (default analyzer) properties bound at the global level on the switching device. Default analyzer properties are overridden by binding a second analyzer instance on the same port group.

Port Mirroring Analyzer Terminology

Table 1 lists some port mirroring analyzer terms and their descriptions.

Table 1: Analyzer Terminology
Term Description

Analyzer

In a mirroring configuration, the analyzer includes:

  • The name of the analyzer

  • Source (input) ports, VLANs, or bridge domains

  • The destination for mirrored packets (either a local port, VLAN, or bridge domain)

Analyzer output interface

(Also known as a monitor port)

Interface where mirrored traffic is sent and a protocol analyzer is connected.

Interfaces used as output to an analyzer must be configured under the forwarding-options hierarchy level.

Analyzer output interfaces have the following limitations:

  • They cannot also be a source port.

  • They do not participate in Layer 2 protocols, such as the Spanning Tree Protocol (STP).

  • If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped.

Analyzer VLAN or bridge domain

(Also known as a monitor VLAN or bridge domain)

VLAN or bridge domain to where mirrored traffic is sent to be used by a protocol analyzer. The member interfaces in the monitor VLAN or bridge domain are spread across the switching devices in your network.

Bridge-domain-based analyzer

An analyzer session configured to use bridge domains for input, output or both.

Default analyzer

An analyzer with default mirroring parameters. By default, the mirroring rate is 1 and the maximum packet length is the length of the complete packet.

Input interface

(Also known as mirrored ports or monitored interfaces)

An interface on the switching device where the traffic entering or exiting this interface is mirrored.

LAG-based analyzer

An analyzer that has a link aggregation group (LAG) specified as the input (ingress) interface in the analyzer configuration.

Local mirroring

An analyzer configuration in which packets are mirrored to a local analyzer port.

Monitoring station

A computer running a protocol analyzer.

Analyzer based on next-hop group

An analyzer configuration that uses the next-hop group as the output to an analyzer.

Port-based analyzer

An analyzer configuration that defines interfaces for input and output.

Protocol analyzer application

An application used to examine packets transmitted across a network segment. Also commonly called a network analyzer, packet sniffer or probe.

Remote mirroring

Functions the same way as local mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN or bridge domain that you create specifically for the purpose of receiving mirrored traffic. Mirrored packets have an additional outer tag of the analyzer VLAN or bridge domain.

Statistical analyzer

(Also known as a non-default analyzer)

A set of mirroring properties that you can explicitly bind to the physical ports on the switch. This set of analyzer properties is known as a statistical analyzer.

VLAN-based analyzer

An analyzer configuration that uses VLANs to deliver the mirrored traffic to the analyzer.

Configuration Guidelines for Port Mirroring Analyzers

When you configure port mirroring analyzers. we recommend that you follow these guidelines to ensure optimum benefit. We recommend that you disable mirroring when you are not using it, and that you select specific interfaces as input to the analyzer rather than using the all keyword option, which enables mirroring on all interfaces. Mirroring only necessary packets reduces any potential performance impact.

You can also limit the amount of mirrored traffic by:

  • Using statistical sampling

  • Using a firewall filter

  • Setting a ratio to select a statistical sample

With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. You must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

Table 2 summarizes further configuration guidelines for analyzers.

Table 2: Configuration Guidelines for Port Mirroring Analyzers

Guideline

Value or Support Information

Comment

Number of analyzers that you can enable concurrently.

64 Default analyzers

2 per FPC–Statistical analyzer

Statistical analyzers must be bound to an FPC for mirroring traffic on ports belonging to that FPC.

Note:

Default analyzer properties are implicitly bound on the last (or second to last) instance on all FPCs in the system. Therefore, when you explicitly bind a second statistical analyzer on the FPC, the default analyzer properties are overridden.

Number of interfaces, VLANs, or bridge domains that you can use as ingress input to an analyzer.

256

Types of ports on which you cannot mirror traffic.

  • Virtual Chassis ports (VCPs)

  • Management Ethernet ports (me0 or vme0)

  • Integrated routing and bridging (IRB) interfaces

  • VLAN-tagged Layer 3 interfaces

 

Protocol families that you can include in an analyzer.

ethernet-switching for EX Series switches and bridge for MX Series routers.

Analyzer mirrors only bridged traffic. To mirror routed traffic, use the port mirroring configuration with family as inet or inet6.

Packets with physical layer errors are not sent to the local or remote analyzer.

Applicable

Packets with these errors are filtered out and thus are not sent to the analyzer.

Analyzer does not support line-rate traffic.

Applicable

Mirroring for line-rate traffic is done on a best-effort basis.

Analyzer output on a LAG interface.

Supported

 

Analyzer output interface mode as trunk mode.

Supported

  • The trunk interface has to be a member of all VLANs or bridge domains that are related to the input configuration of the analyzer.

  • You must use the mirror-once option if the input has been configured as VLAN or bridge domain and the output is a trunk interface.

    Note:

    With the mirror-once option, if the analyzer input is from both ingress and egress mirroring, only ingress traffic is mirrored. If both ingress and egress mirroring are required, the output interface cannot be a trunk. In such cases, configure the interface as an access interface.

Egress mirroring of host-generated control packets.

Not supported

 

Configuring Layer 3 logical interfaces in the input stanza of an analyzer.

Not supported

 

The analyzer input and output stanzas containing members of the same VLAN or the VLAN itself must be avoided.

Applicable

 

Support for VLAN and its member interfaces in different analyzer sessions

Not supported

If mirroring is configured, either of the analyzers is active.

Egress mirroring of aggregated Ethernet (ae) interfaces and its child logical interfaces configured for different analyzers.

Not supported

 

Configuring Mirroring on EX9200 Switches to Analyze Traffic (CLI Procedure)

EX9200 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy the following packets:

  • Packets entering or exiting a port

  • Packets entering or exiting a VLAN

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable the analyzers that you have configured when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

Note:

If you want to create additional analyzers without deleting the existing analyzers, disable the existing analyzers by using the disable analyzer analyzer-name statement from the command-line-interface (CLI) or from the J-Web configuration page for mirroring.

Note:

Interfaces used as output to an analyzer must be configured under the ethernet-switching family, and must be associated to a VLAN.

Configuring an Analyzer for Local Traffic Analysis

To mirror network traffic or VLAN traffic on the switch to an interface on the switch by using analyzers:

  1. Choose a name for the analyzer and specify the input:

    For example, create an analyzer called employee-monitor to monitor the packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

  2. Configure the destination interface for the mirrored packets:

    For example, configure ge-0/0/10.0 as the destination interface for the employee-monitor analyzer:

Configuring an Analyzer for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN used for analysis from a remote location:

  1. Configure a VLAN to carry the mirrored traffic:

    For example, define an analyzer VLAN called remote-analyzer and assign it the VLAN ID 999:

  2. Set the uplink module interface that is connected to the distribution switch to access mode and associate it with the analyzer VLAN:

    For example, set the interface ge-0/1/1 to access mode and associate it with the analyzer VLAN ID 999:

  3. Configure the analyzer:
    1. Define an analyzer and specify the traffic to be mirrored:

      For example, define the employee-monitor analyzer for which traffic to be mirrored comprises packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

    2. Specify the analyzer VLAN as the output for the analyzer:

      For example, specify the remote-analyzer VLAN as the output analyzer for the employee-monitor analyzer:

Configuring a Statistical Analyzer for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch by using a statistical analyzer:

  1. Choose a name for the analyzer and specify the input interfaces:

    For example, specify an analyzer called employee-monitor and specify the input interfaces ge-0/0/0 and ge-0/0/1:

  2. Configure the destination interface for the mirrored packets:

    For example, configure ge-0/0/10.0 as the destination interface for the mirrored packets:

  3. Specify mirroring properties.
    1. Specify the mirroring rate—that is, the number of packets to be mirrored per second:

      The valid range is 1 through 65,535.

    2. Specify at what length mirrored packets are truncated:

    The valid range is 0 through 9216. The default value is 0, indicating that mirrored packets are not truncated.

Configuring a Statistical Analyzer for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location by using a statistical analyzer:

  1. Configure a VLAN to carry the mirrored traffic:

    For example, configure a VLAN called remote-analyzer with VLAN ID 999:

  2. Set the uplink module interface that is connected to the distribution switch to access mode and associate it with the VLAN:

    For example, set the uplink module interface ge-0/1/1.0 that is connected to the distribution switch to access mode and associate it with the remote-analyzer VLAN:

  3. Configure the statistical analyzer:
    1. Specify the traffic to be mirrored:

      For example, specify the packets entering ports ge-0/0/0.0 and ge-0/0/1.0 to be mirrored:

    2. Specify an output for the analyzer:

      For example, specify the remote-analyzer VLAN as the output for the analyzer:

  4. Specify mirroring properties.

    1. Specify the mirroring rate—that is, the number of packets to be mirrored per second:

      The valid range is 1 through 65,535.

    2. Specify the length to which mirrored packets are to be truncated:

    The valid range is 0 through 9216. The default value is 0, which means the mirrored packets are not truncated.

Binding Statistical Analyzers to Ports Grouped at the FPC Level

You can bind a statistical analyzer to a specific FPC in the switch, that is, you can bind the statistical analyzer instance at the FPC level of the switch. The mirroring properties specified in the statistical analyzer are applied to all physical ports associated with all Packet Forwarding Engines on the specified FPC.

To bind a named instance of Layer 2 analyzer to an FPC:

  1. Enable configuration of switch chassis properties:

  2. Enable configuration of an FPC (and its installed PICs):

  3. Bind a statistical analyzer instance to the FPC:

  4. (Optional) To bind a second statistical analyzer instance of Layer 2 mirroring to the same FPC, repeat Step 3 and specify a different statistical analyzer name:

  5. Verify the minimum configuration of the binding:

Note:

On binding a second instance (stats_analyzer-2 in this example), the mirroring properties of this session, if configured, overrides any default analyzer.

Configuring an Analyzer with Multiple Destinations by Using Next-Hop Groups

You can mirror traffic to multiple destinations by configuring next-hop groups as analyzer output. The mirroring of packets to multiple destinations is also known as multipacket port mirroring.

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch (by using analyzers):

  1. Choose a name for the analyzer and specify the input:

    For example, create an analyzer called employee-monitor for which the input traffic comprises packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

  2. Configure the destination interface for the mirrored packets:

    For example, configure the next-hop group nhg as the destination for the employee-monitor analyzer:

Defining a Next-Hop Group for Layer 2 Mirroring

The next-hop group configuration at the [edit forwarding-options] configuration level enables you to define a next-hop group name, the type of addresses to be used in the next-hop group, and the logical interfaces that form the multiple destinations to which traffic can be mirrored. By default, the next-hop group is specified using Layer 3 addresses using the [edit forwarding-options next-hop-group next-hop-group-name group-type inet] statement. To specify a next-hop group using Layer 2 addresses instead, include the [edit forwarding-options next-hop-group next-hop-group-name group-type layer-2] statement.

To define a next-hop group for Layer 2 mirroring:

  1. Enable configuration of a next-hop group for Layer 2 mirroring:

    For example, configure next-hop-group with name nhg:

  2. Specify the type of addresses to be used in the next-hop group configuration:

    For example, configure next-hop-group type as layer-2 because the analyzer output must be layer-2 only:

  3. Specify the logical interfaces of the next-hop group:

    For example, to specify ge-0/0/10.0 and ge-0/0/11.0 as the logical interfaces of the next-hop group nhg:

Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)

Note:

This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring configurations when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by using firewall filters.

Note:

If you want to create additional analyzers without deleting the existing analyzers, then disable the existing analyzers by using the disable analyzer analyzer-name statement from the command-line interface or the J-Web configuration page for mirroring.

Note:

Interfaces used as output for an analyzer must be configured under the ethernet-switching family.

Configuring an Analyzer for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch (by using analyzers):

  1. Choose a name for the analyzer and specify the input:

    For example, create an analyzer called employee-monitor for which the input traffic is packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

  2. Configure the destination interface for the mirrored packets:

    For example, configure ge-0/0/10.0 as the destination interface for the employee-monitor analyzer:

Configuring an Analyzer for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location (by using analyzers):

  1. Configure a VLAN to carry the mirrored traffic:

    For example, define an analyzer VLAN called remote-analyzer and assign it a VLAN ID of 999:

  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the analyzer VLAN:

    For example, set the interface ge-0/1/1 to trunk mode and associate it with the analyzer VLAN ID 999:

  3. Configure the analyzer:
    1. Define an analyzer and specify the traffic to be mirrored:

      For example, define the employee-monitor analyzer for which traffic to be mirrored is packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

    2. Specify the analyzer VLAN as the output for the analyzer:

      For example, specify the remote-analyzer VLAN as the output analyzer for the employee-monitor analyzer:

Configuring Port Mirroring

To filter packets to be mirrored to a port-mirroring instance, create the instance and then use it as the action in the firewall filter. You can use firewall filters in both local and remote mirroring configurations.

If the same port-mirroring instance is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.

To filter mirrored traffic, create a port-mirroring instance under the [edit forwarding-options] hierarchy level, and then create a firewall filter. The filter can use any of the available match conditions and must have port-mirror-instance instance-name as an action. This action in the firewall filter configuration provides the input to the port-mirroring instance.

To configure a port-mirroring instance with firewall filters:

  1. Configure the port-mirroring instance name (here, employee-monitor) and the output:
    1. For local analysis, set the output to the local interface where you will connect the computer running the protocol analyzer:
    2. For remote analysis, set the output to the remote-analyzer VLAN:
  2. Create a firewall filter by using any of the available match conditions and assign employee-monitor to the port-mirror-instance action:

    This step shows a firewall filter example-filter, with two terms (no-analyzer and to-analyzer):

    1. Create the first term to define the traffic that should not pass through to the port-mirroring instance employee-monitor:
    2. Create the second term to define the traffic that should pass through to the port-mirroring instance employee-monitor:
  3. Apply the firewall filter to the interfaces or VLAN that provide input to the port-mirroring instance:

Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

This configuration task uses Junos OS for EX Series switches that do not support the Enhanced Layer 2 Software (ELS) configuration style.

EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 switches

  • Packets exiting a VLAN on EX8200 switches

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured port mirroring analyzers when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

Before you begin to configure port mirroring, note the following limitations for analyzer output interfaces:

  • Cannot also be a source port.

  • Cannot be used for switching.

  • Do not participate in Layer 2 protocols (such as RSTP) when part of a port mirroring configuration.

  • Do not retain any VLAN associations they held before they were configured as analyzer output interfaces.

Note:

If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.

Note:

Interfaces used as output for an analyzer must be configured as family ethernet-switching.

Configuring Port Mirroring for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to another interface on the switch:

  1. Choose a name for the analyzer—in this case employee-monitor—and specify the input—in this case, packets entering ge-0/0/0 and ge-0/0/1:
  2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:

    When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch. On EX8200 switches, you can set a ratio only for ingress packets.

  3. Configure the destination interface for the mirrored packets:

Configuring Port Mirroring for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

  1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this documentation:
  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
  3. Configure the analyzer:
    1. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
    2. Specify the traffic to be mirrored—in this example the packets entering ports ge-0/0/0 and ge-0/0/1:
    3. Specify the remote-analyzer VLAN as the output for the analyzer:
  4. Optionally, you can specify a statistical sampling of the packets by setting a ratio:

    When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

Filtering the Traffic Entering an Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer and then use it as the action in the firewall filter. You can use firewall filters in both local and remote port mirroring configurations.

If the same analyzer is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.

To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can use any of the available match conditions and must have an action of analyzer. The action of the firewall filter provides the input to the analyzer.

To configure port mirroring with filters:

  1. Configure the analyzer name (here, employee-monitor) and the output:
    1. For local analysis, set the output to the local interface to which you will connect the computer running the protocol analyzer application:
    2. For remote analysis, set the loss priority to high and set the output to the remote-analyzer VLAN:
  2. Create a firewall filter using any of the available match conditions and specify the action as analyzer:

    This step shows a firewall filter called example-filter, with two terms:

    1. Create the first term to define the traffic that should not pass through to the analyzer:
    2. Create the second term to define the traffic that should pass through to the analyzer:
  3. Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:

Verifying Input and Output for Port Mirroring Analyzers on EX Series Switches

Purpose

This verification task uses Junos OS for EX Series switches that do not support the Enhanced Layer 2 Software (ELS) configuration style.

Verify that an analyzer has been created on the switch and has the appropriate mirror input interfaces, and the appropriate analyzer output interface.

Action

You can verify the port mirror analyzer is configured as expected by using the show analyzer command.

You can view all of the port mirror analyzers configured on the switch, including any that are disabled, by using the show ethernet-switching-options command in configuration mode.

Meaning

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and is sending the mirrored traffic to the analyzer called remote-analyzer.

Example: Configuring Port Mirroring Analyzers for Local Monitoring of Employee Resource Use

Juniper Networks devices allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring, to a VLAN or to a bridge domain for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering or exiting a VLAN or bridge domain

You can then analyze the mirrored traffic locally or remotely using a protocol analyzer. You can install an analyzer on a local destination interface. If you are sending mirrored traffic to an analyzer VLAN or bridge domain, you can use an analyzer on a remote monitoring station.

This topic describes how to configure local mirroring on a switching device. The examples in this topic describe how to configure a switching device to mirror traffic entering interfaces connected to employee computers to an analyzer output interface on that same device.

Requirements

Use either one of the following hardware and software components:

  • One EX9200 switch with Junos OS Release 13.2 or later

  • One MX Series router with Junos OS Release 14.1 or later

Before you configure port mirroring, be sure you have an understanding of mirroring concepts. For information about analyzers, see Understanding Port Mirroring Analyzers. For information about port mirroring, see Understanding Layer 2 Port Mirroring.

Overview and Topology

This topic describes how to mirror all traffic entering ports on the switching device to a destination interface on the same device (local mirroring). In this case, the traffic is entering ports connected to employee computers.

Note:

Mirroring all traffic requires significant bandwidth and should only be done during an active investigation.

The interfaces ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.

The interface ge-0/0/10 is reserved for analysis of the mirrored traffic.

Connect a PC running a protocol analyzer to the analyzer output interface.

Note:

Multiple ports mirrored to one interface can cause buffer overflow, resulting in mirrored packets being dropped at the output interface.

Figure 1 shows the network topology for this example.

Figure 1: Network Topology for Local Port Mirroring ExampleNetwork Topology for Local Port Mirroring Example

Mirroring All Employee Traffic for Local Analysis

Procedure

CLI Quick Configuration

To quickly configure local mirroring for ingress traffic sent on two ports connected to employee computers, copy either of the following commands for EX Series switches or for MX Series routers and paste them into the switching device terminal window:

EX Series

MX Series

Step-by-Step Procedure

To configure an analyzer called employee-monitor and specify both the input (source) interfaces and the analyzer output interface:

  1. Configure each interface to be used in the analyzer configuration. Use the family protocol that is correct for your platform.

    To configure family bridge on an interface, you must configure interface-mode access or interface-mode trunk as well. You also must configure vlan-id.

  2. Configure each interface connected to employee computers as an output analyzer interface employee-monitor.

  3. Configure the output analyzer interface for the employee-monitor analyzer.

    This will be the destination interface for the mirrored packets.

Results

Check the results of the configuration.

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer employee-monitor has been created on the switching device with the appropriate input interfaces and the appropriate output interface.

Action

Use the show forwarding-options analyzer operational command to verify that an analyzer is configured as expected.

Meaning

The output shows that the employee-monitor analyzer has a ratio of 1 (that is, mirroring every packet, the default setting), the maximum size of the original packet mirrored is 0 (indicating that the entire packet is mirrored), the state of the configuration is up, and the analyzer is mirroring the traffic entering the ge-0/0/0 interface, and sending the mirrored traffic to the ge-0/0/10 interface.

If the state of the output interface is down or if the output interface is not configured, the value of State will be down indicating that the analyzer will not be receiving mirrored traffic.

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use

Juniper Networks devices allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN or bridge domain for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering or exiting a VLAN

  • Packets entering or exiting a bridge domain

If you are sending mirrored traffic to an analyzer VLAN or bridge domain, you can analyze the mirrored traffic by using a protocol analyzer running on a remote monitoring station.

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you do the following:

  • Disable your configured mirroring sessions when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

The examples in this topic describe how to configure remote port mirroring to analyze employee resource usage.

Requirements

This example uses one of the following pairs of hardware and software components:

  • One EX9200 switch connected to another EX9200 switch, both running Junos OS Release 13.2 or later

  • One MX Series router connected to another MX Series router, both running Junos OS Release 14.1 or later

Before you configure remote mirroring, be sure that:

Overview and Topology

This topic describes how to configure port mirroring to a remote analyzer VLAN or bridge domain so that the analysis can be done from a remote monitoring station.

Figure 2 shows the network topology for both the EX Series example and the MX Series example scenarios.

Topology

Figure 2: Network Topology for Remote Port Mirroring and AnalysisNetwork Topology for Remote Port Mirroring and Analysis

In this example:

  • Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both are interfaces on the source device) that serve as connections for employee computers.

  • Interface ge-0/0/10 is a Layer 2 interface that connects the source switching device to the destination switching device.

  • Interface ge-0/0/5 is a Layer 2 interface that connects the destination switching device to the remote monitoring station.

  • The analyzer remote-analyzer is configured on all switching devices in the topology to carry the mirrored traffic. This topology can use either a VLAN or a bridge domain.

Mirroring Employee Traffic for Remote Analysis By Using a Statistical Analyzer

To configure a statistical analyzer for remote traffic analysis for all incoming and outgoing employee traffic, select one of the following examples:

Mirroring Employee Traffic for Remote Analysis for EX Series Switches

CLI Quick Configuration

To quickly configure a statistical analyzer for remote traffic analysis of the incoming and outgoing employee traffic, copy the following commands for EX Series switches and paste them into the correct switching device terminal window.

  • Copy and paste the following commands in the source switching device terminal window:

    EX Series

  • Copy and paste the following commands in the destination switching device terminal window:

    EX Series

Step-by-Step Procedure

To configure basic remote mirroring:

  1. On the source switching device, do the following:

    • Configure the VLAN ID for the remote-analyzer VLAN.

    • Configure the interface on the network port connected to the destination switching device for access mode and associate it with the remote-analyzer VLAN.

    • Configure the statistical analyzer employee-monitor.

    • Bind the statistical analyzer to the FPC that contains the input interface.

  2. On the destination network device, do the following:

    • Configure the VLAN ID for the remote-analyzer VLAN.

    • Configure the interface on the destination switching device for access mode and associate it with the remote-analyzer VLAN.

    • Configure the interface connected to the destination switching device for access mode.

    • Configure the employee-monitor analyzer.

    • Specify mirroring parameters such as rate and the maximum packet length for the employee-monitor analyzer.

    • Bind the employee-monitor analyzer to the FPC containing the input ports.

Results

Check the results of the configuration on the source switching device:

Check the results of the configuration on the destination switching device.

Mirroring Employee Traffic for Remote Analysis for MX Series Routers

CLI Quick Configuration

To quickly configure a statistical analyzer for remote traffic analysis of incoming and outgoing employee traffic, copy the following commands for MX Series routers and paste them into the correct switching device terminal window.

  • Copy and paste the following commands in the source switching device terminal window:

    MX Series

  • Copy and paste the following commands in the destination switching device terminal window:

    MX Series

Step-by-Step Procedure

To configure basic remote mirroring using MX Series routers:

  1. On the source switching device, do the following:

    • Configure the VLAN ID for the remote-analyzer bridge domain.

    • Configure the interface on the network port connected to the destination switching device for access mode and associate it with the remote-analyzer bridge domain.

    • Configure the statistical analyzer employee-monitor.

    • Bind the statistical analyzer to the FPC that contains the input interface.

  2. On the destination switching device, do the following:

    • Configure the VLAN ID for the remote-analyzer bridge domain.

    • Configure the interface on the destination switching device for access mode and associate it with the remote-analyzer bridge domain.

    • Configure the interface connected to the destination switching device for access mode.

    • Configure the employee-monitor analyzer.

    • Specify mirroring parameters such as rate and the maximum packet length for the employee-monitor analyzer.

    • Bind the employee-monitor analyzer to the FPC containing the input ports.

Results

Check the results of the configuration on the source switching device:

Check the results of the configuration on the destination switching device.

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the device with the appropriate input interfaces and the appropriate output interface.

Action

To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switching device, run the show forwarding-options analyzer command on the source switching device. The following output is displayed for this configuration example.

Meaning

This output shows that the employee-monitor instance has a ratio of 2, the maximum size of the original packet that were mirrored is 128, the state of the configuration is up, which indicates proper state and that the analyzer is programmed, and the analyzer is mirroring the traffic entering ge-0/0/0.0 and ge-0/0/1.0, and is sending the mirrored traffic to the VLAN called remote-analyzer.

If the state of the output interface is down or if the output interface is not configured, the value of State will be down and the analyzer will not be able to monitor traffic.

Example: Configuring Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX9200 Switches

EX9200 switches allow you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering or exiting a VLAN on

You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring analyzers when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

This example describes how to configure remote mirroring to multiple interfaces on an analyzer VLAN:

Requirements

This example uses the following hardware and software components:

  • Three EX9200 switches

  • Junos OS Release 13.2 or later for EX Series switches

Before you configure remote mirroring, be sure that:

  • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This example describes how to mirror traffic entering ports on the switch to the remote analyzer VLAN so that you can perform analysis from a remote monitoring station. The remote-analyzer VLAN in this example contains multiple member interfaces. Therefore, the same traffic is mirrored to all member interfaces of the remote-analyzer VLAN so that mirrored packets can be sent to different remote monitoring stations. You can install applications, such as sniffers and intrusion detection systems, on remote monitoring stations to analyze these mirrored packets and to obtain useful statistical data. For instance, if there are two remote monitoring stations, you can install a sniffer on one remote monitoring station and an intrusion detection system on the other station. You can use a firewall filter analyzer configuration to forward a specific type of traffic to a remote monitoring station.

This example describes how to configure an analyzer to mirror traffic to multiple interfaces in the next-hop group so that traffic is sent to different monitoring stations for analysis.

Figure 3 shows the network topology for this example.

Figure 3: Remote Mirroring Example Network Topology Using Multiple VLAN Member Interfaces in the Next-Hop GroupRemote Mirroring Example Network Topology Using Multiple VLAN Member Interfaces in the Next-Hop Group

Topology

In this example:

  • Interfaces ge-0/0/0 and ge-0/0/1 are Layer 2 interfaces (both interfaces on the source switch) that serve as connections for employee computers.

  • Interfaces ge-0/0/10 and ge-0/0/11 are Layer 2 interfaces that are connected to different destination switches.

  • Interface ge-0/0/12 is a Layer 2 interface that connects the Destination 1 switch to the remote monitoring station.

  • Interface ge-0/0/13 is a Layer 2 interface that connects the Destination 2 switch to the remote monitoring station.

  • VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic to Multiple VLAN Member Interfaces for Remote Analysis

To configure mirroring to multiple VLAN member interfaces for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

  • In the source switch terminal window, copy and paste the following commands:

  • In the Destination 1 switch terminal window, copy and paste the following commands:

  • In the Destination 2 switch terminal window, copy and paste the following commands:

Step-by-Step Procedure

To configure basic remote mirroring to two VLAN member interfaces:

  1. On the source switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interfaces on the network port connected to destination switches for access mode and associate it with the remote-analyzer VLAN:

    • Configure the employee-monitor analyzer:

      In this analyzer configuration, traffic that enters and exits interfaces ge-0/0/0.0 and ge-0/0/1.0 are sent to the output destination defined by the next-hop group named remote-analyzer-nhg.

    • Configure the remote-analyzer-nhb next-hop group:

  2. On the Destination 1 switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/10 interface on the Destination 1 switch for access mode:

    • Configure the interface connected to the remote monitoring station for access mode:

    • Configure the employee-monitor analyzer:

  3. On the Destination 2 switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/11 interface on the Destination 2 switch for access mode:

    • Configure the interface connected to the remote monitoring station for access mode:

    • Configure the employee-monitor analyzer:

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the Destination 1 switch:

Check the results of the configuration on the Destination 2 switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

You can verify the analyzer is configured as expected by using the show forwarding-options analyzer command.

To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show forwarding-options analyzer command on the source switch. The following output is displayed for this example configuration on the source switch:

Meaning

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, which is the default behavior), the state of the configuration is up, which indicates proper state and that the analyzer is programmed, mirrors traffic entering or exiting interfaces ge-0/0/0 and ge-0/0/1, and sends mirrored traffic to multiple interfaces ge-0/0/10.0 and ge-0/0/11.0 through the next-hop-group remote-analyzer-nhg. If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be able to mirror traffic.

Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX9200 Switches

EX9200 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering or exiting a VLAN

You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

This topic includes an example that describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch, so that you can perform analysis from a remote monitoring station.

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring sessions when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

This example describes how to configure remote mirroring through a transit switch:

Requirements

This example uses the following hardware and software components:

  • An EX9200 switch connected to another EX9200 switch through a third EX9200 switch

  • Junos OS Release 13.2 or later for EX Series switches

Before you configure remote mirroring, be sure that:

  • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch so that you can perform analysis on all traffic from employee computers.

In this configuration, an analyzer session is required on the destination switch to mirror incoming traffic from the analyzer VLAN to the egress interface to which the remote monitoring station is connected.

Figure 4 shows the network topology for this example.

Topology

Figure 4: Network Monitoring for Remote Mirroring Through a Transit SwitchNetwork Monitoring for Remote Mirroring Through a Transit Switch

In this example:

  1. Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.

  2. Interface ge-0/0/10 is a Layer 2 interface that connects to the transit switch.

  3. Interface ge-0/0/11 is a Layer 2 interface on the transit switch.

  4. Interface ge-0/0/12 is a Layer 2 interface on the transit switch and connects to the destination switch.

  5. Interface ge-0/0/13 is a Layer 2 interface on the destination switch.

  6. Interface ge-0/0/14 is a Layer 2 interface on the destination switch and connects to the remote monitoring station.

  7. VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic for Remote Analysis Through a Transit Switch

To configure mirroring for remote traffic analysis through a transit switch, for all incoming and outgoing employee traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure mirroring for remote traffic analysis through a transit switch, for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

  • Copy and paste the following commands in the source switch (monitored switch) terminal window:

  • Copy and paste the following commands in the transit switch window:

  • Copy and paste the following commands in the destination switch window:

Step-by-Step Procedure

To configure remote mirroring through a transit switch:

  1. On the source switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interfaces on the network port connected to transit switch for access mode and associate it with the remote-analyzer VLAN:

    • Configure the employee-monitor analyzer:

  2. On the transit switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/11 interface for access mode, associate it with the remote-analyzer VLAN:

    • Configure the ge-0/0/12 interface for access mode, associate it with the remote-analyzer VLAN, and set the interface for egress traffic only:

  3. On the destination switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/13 interface for access mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only:

    • Configure the interface connected to the remote monitoring station for access mode:

    • Configure the remote-analyzer analyzer:

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the transit switch:

Check the results of the configuration on the destination switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and the appropriate output interface.

Action

You can verify the analyzer is configured as expected by using the show forwarding-options analyzer command.

To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show forwarding-options analyzer command on the source switch. The following output is displayed for this example configuration:

Meaning

This output shows that the employee-monitor analyzer has a mirroring ratio of 1 (mirroring every packet, the default), the state of the configuration is up, which indicates proper state and that the analyzer is programmed, is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and is sending the mirrored traffic to the analyzer called remote-analyzer. If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be able to mirror traffic.

Example: Configuring Mirroring for Local Monitoring of Employee Resource Use on EX4300 Switches

Note:

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches. For ELS details, see Getting Started with Enhanced Layer 2 Software.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN

You can analyze the mirrored traffic by using a protocol analyzer installed on a system connected to the local destination interface or a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

This example describes how to configure local mirroring on an EX4300 switch. This example describes how to configure the switch to mirror traffic entering interfaces connected to employee computers to an analyzer output interface on the same switch.

Requirements

This example uses the following hardware and software components:

  • One EX4300 switch

  • Junos OS Release 13.2X50-D10 or later for EX Series switches

Overview and Topology

This topic includes two examples that describe how to mirror traffic entering ports on the switch to a destination interface on the same switch (local mirroring). The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario, but includes a filter to mirror only the employee traffic going to the Web.

The interfaces ge-0/0/0 and ge-0/0/1 serve as connections for employee computers. The interface ge0/0/10 is reserved for analysis of mirrored traffic. Connect a PC running a protocol analyzer application to the analyzer output interface to analyze the mirrored traffic.

Note:

Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Both examples use the network topology shown in Figure 5.

Figure 5: Network Topology for Local Mirroring ExampleNetwork Topology for Local Mirroring Example

Mirroring All Employee Traffic for Local Analysis

To configure mirroring for all employee traffic for local analysis, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure local mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure an analyzer called employee-monitor and specify the input (source) interfaces and the analyzer output interface:

  1. Configure each interface connected to employee computers as an input interface for the analyzer employee-monitor:

  2. Configure the output interface of the analyzer as part of a VLAN:

  3. Configure the output analyzer interface for the analyzer employee-monitor. This will be the destination interface for the mirrored packets:

Results

Check the results of the configuration:

Mirroring Employee-to-Web Traffic for Local Analysis

To configure mirroring for employee to Web traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure local mirroring of traffic from the two ports connected to employee computers, filtering so that only traffic to the external Web is mirrored, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure local mirroring of employee to Web traffic from the two ports connected to employee computers:

  1. Configure the local analyzer interface:

  2. Configure the employee-web-monitor output instance (the input to the instance comes from the action of the filter):

  3. Configure a firewall filter called watch-employee to send mirrored copies of employee requests to the Web to the employee-web-monitor instance. Accept all traffic to and from the corporate subnet (destination or source address of 192.0.2.16/24). Send mirrored copies of all packets destined for the Internet (destination port 80) to the employee-web-monitor instance.

  4. Apply the watch-employee filter to the appropriate ports:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is correct, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces, and appropriate output interface.

Action

You can use the show forwarding-options analyzer command to verify that the analyzer is configured properly.

Meaning

This output shows that the analyzer employee-monitor has a ratio of 1 (mirroring every packet, the default setting), the maximum size of the original packet that was mirrored (0 indicates the entire packet), the state of the configuration (is up indicates that the analyzer is mirroring the traffic entering the ge-0/0/0, and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface). If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be programmed for mirroring.

Verifying That The Port-Mirroring Instance Is Configured Properly

Purpose

Verify that the port-mirroring instance employee-web-monitor has been configured properly on the switch with the appropriate input interfaces.

Action

You can verify that the port-mirroring instance is configured properly by using the show forwarding-options port-mirroring command.

Meaning

This output shows that the employee-web-monitor instance has a ratio of 1 (mirroring every packet, the default), the maximum size of the original packet that was mirrored (0 indicates an entire packet), the state of the configuration is up and port mirroring is programmed, and that mirrored traffic from the firewall filter action is sent out on interface ge-0/0/10.0. If the state of the output interface is down or if the interface is not configured, the value for state will be down and port mirroring will not be programmed for mirroring.

Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use on EX4300 Switches

Note:

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use on EX4300 Switches. For ELS details see: Getting Started with Enhanced Layer 2 Software.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN on EX4300 switches

You can analyze the mirrored traffic by using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

This topic includes two related examples that describe how to mirror traffic entering ports on the switch to the remote-analyzer VLAN so that you can perform analysis from a remote monitoring station. The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario but includes a filter to mirror only the employee traffic going to the Web.

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring sessions when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by using firewall filters.

This example describes how to configure remote mirroring:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 13.2X50-D10 or later for EX Series switches

  • An EX4300 switch connected to another EX4300 switch

The diagram shows an EX4300 Virtual Chassis connected to an EX4300 destination switch.

Before you configure remote mirroring, be sure that:

  • You have an understanding of mirroring concepts.

  • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This topic includes two related examples that describe how to configure mirroring to the remote-analyzer VLAN so that analysis can be performed from a remote monitoring station. The first example shows how to configure a switch to mirror all traffic from employee computers. The second example shows the same scenario, but the setup includes a filter to mirror only the employee traffic going to the Web.

Figure 6 shows the network topology for both these example scenarios.

Topology

Figure 6: Remote Mirroring Network Topology ExampleRemote Mirroring Network Topology Example

In this example:

  1. Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.

  2. Interface ge-0/0/10 is a Layer 2 interface that connects the source switch to the destination switch.

  3. Interface ge-0/0/5 is a Layer 2 interface that connects the destination switch to the remote monitoring station.

  4. VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic for Remote Analysis

To configure an analyzer for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure an analyzer for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

  • Copy and paste the following commands in the source switch terminal window:

  • Copy and paste the following commands in the destination switch terminal window:

Step-by-Step Procedure

To configure basic remote port mirroring:

  1. On the source switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interface on the network port connected to the destination switch for trunk mode and associate it with the remote-analyzer VLAN:

    • Configure the employee-monitor analyzer:

  2. On the destination switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interface on the destination switch for trunk mode and associate it with the remote-analyzer VLAN:

    • Configure the interface connected to the destination switch for trunk mode:

    • Configure the employee-monitor analyzer:

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the destination switch:

Mirroring Employee-to-Web Traffic for Remote Analysis

To configure port mirroring for remote traffic analysis of employee- to- Web traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure port mirroring to mirror employee traffic to the external Web, copy the following commands and paste them into the switch terminal window:

  • Copy and paste the following commands in the source switch terminal window:

  • Copy and paste the following commands in the destination switch terminal window:

Step-by-Step Procedure

To configure port mirroring of all traffic from the two ports connected to employee computers to the remote-analyzer VLAN for use from a remote monitoring station:

  1. On the source switch:

    • Configure the employee-web-monitor port mirroring instance:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interface to associate it with the remote-analyzer VLAN:

    • Configure the firewall filter called watch-employee:

    • Apply the firewall filter to the employee interfaces:

  2. On the destination switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interface on the destination switch for trunk mode and associate it with the remote-analyzer VLAN:

    • Configure the interface connected to the destination switch for trunk mode:

    • Configure the employee-monitor analyzer:

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the destination switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

You can verify the analyzer is configured as expected by using the show forwarding-options analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface.

To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this configuration example:

Meaning

This output shows that the employee-monitor instance has a ratio of 1 (mirroring every packet, the default), the maximum size of the original packet that was mirrored (0 indicates the entire packet), the state of the configuration is up (which indicates the proper state and that the analyzer is programmed, and is mirroring the traffic entering ge-0/0/0 and ge-0/0/1 and is sending the mirrored traffic to the VLAN called remote-analyzer). If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be programmed for mirroring.

Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX4300 Switches

Note:

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN on EX4300 switches

You can analyze the mirrored traffic by using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

This topic includes an example that describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch, so that you can perform analysis from a remote monitoring station.

Best Practice:

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring sessions when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by using firewall filters.

This example describes how to configure remote mirroring through a transit switch:

Requirements

This example uses the following hardware and software components:

  • An EX4300 switch connected to another EX4300 switch through a third EX4300 switch

  • Junos OS Release 13.2X50-D10 or later for EX Series switches

Before you configure remote mirroring, be sure that:

  • You have an understanding of mirroring concepts.

  • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch so that you can perform analysis from a remote monitoring station. The example shows how to configure a switch to mirror all traffic from employee computers to a remote analyzer.

In this configuration, an analyzer session is required on the destination switch to mirror incoming traffic from the analyzer VLAN to the egress interface to which the remote monitoring station is connected. You must disable MAC learning on the transit switch for the remote-analyzer VLAN so that MAC learning is disabled for all member interfaces of the remote-analyzer VLAN on the transit switch.

Figure 7 shows the network topology for this example.

Topology

Figure 7: Remote Mirroring Through a Transit Switch Network–Sample TopologyRemote Mirroring Through a Transit Switch Network–Sample Topology

In this example:

  • Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.

  • Interface ge-0/0/10 is a Layer 2 interface that connects to the transit switch.

  • Interface ge-0/0/11 is a Layer 2 interface on the transit switch.

  • Interface ge-0/0/12 is a Layer 2 interface on the transit switch and connects to the destination switch.

  • Interface ge-0/0/13 is a Layer 2 interface on the destination switch .

  • Interface ge-0/0/14 is a Layer 2 interface on the destination switch and connects to the remote monitoring station.

  • VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic for Remote Analysis Through a Transit Switch

To configure mirroring for remote traffic analysis through a transit switch, for all incoming and outgoing employee traffic, perform these tasks:

Procedure

CLI Quick Configuration

To quickly configure mirroring for remote traffic analysis through a transit switch, for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

  • Copy and paste the following commands in the source switch (monitored switch) terminal window:

  • Copy and paste the following commands in the transit switch window:

  • Copy and paste the following commands in the destination switch window:

Step-by-Step Procedure

To configure remote mirroring through a transit switch:

  1. On the source switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the interfaces on the network port connected to transit switch for trunk mode and associate it with the remote-analyzer VLAN:

    • Configure the employee-monitor analyzer:

  2. On the transit switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/11 interface for trunk mode, associate it with the remote-analyzer VLAN:

    • Configure the ge-0/0/12 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for egress traffic only:

    • Configure the no-mac-learning option for the remote-analyzer VLAN to disable MAC learning on all interfaces that are members of the remote-analyzer VLAN:

  3. On the destination switch:

    • Configure the VLAN ID for the remote-analyzer VLAN:

    • Configure the ge-0/0/13 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only:

    • Configure the interface connected to the remote monitoring station for trunk mode:

    • Configure the employee-monitor analyzer:

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the transit switch:

Check the results of the configuration on the destination switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and the appropriate output interface.

Action

You can verify whether the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface.

To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration:

Meaning

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and sending the mirrored traffic to the analyzer remote-analyzer.