Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Port Mirroring Instances

Layer 2 Port Mirroring Global Instance

On an MX Series router and on an EX Series switch, you can configure a set of port-mirroring properties that implicitly apply to packets received on all ports in the router (or switch) chassis. This set of port-mirroring properties is the global instance of Layer 2 port mirroring for the router or switch.

Within the global instance configuration, you can specify a set of mirror destination properties for each packet address family supported by Layer 2 port mirroring.

For a general description of Layer 2 port-mirroring properties, see Understanding Layer 2 Port Mirroring Properties. For a comparison of the types of Layer 2 port mirroring available on an MX Series router and on an EX Series switch, see Application of Layer 2 Port Mirroring Types.

Configuring the Global Instance of Layer 2 Port Mirroring

On an MX Series router and on an EX Series switch, you can configure a set of Layer 2 port-mirroring properties that implicitly apply to packets received on all ports in the router (or switch) chassis.

To configure the global instance of Layer 2 port mirroring on an MX Series router and on an EX Series switch:

  1. Enable configuration of the Layer 2 port mirroring:
  2. Enable configuration of the packet-selection properties:
  3. Specify global-level packet-selection properties.

    1. Specify the number of packets to select:

      The valid range is 1 through 65535.


    2. Specify the number of packets to mirror from each selection:

      The valid range is 0 through 20. The default value is 0.


    3. Specify the length to which mirrored packets are to be truncated:

      The valid range is 0 through 9216. The default value is 0, which means the mirrored packets are not truncated.

  4. Specify the global-level Layer 2 address-type family from which traffic is to be selected for mirroring:

    The value of the family option can be ethernet-switching, cccor vpls.

    Note:

    Under the [edit forwarding-options port-mirroring] hierarchy level, the protocol family statement family ethernet-switching is an alias for family vpls. The command-line interface (CLI) displays Layer 2 port-mirroring configurations as family vpls, even for Layer 2 port-mirroring configured as family ethernet-switching. Use family ethernet-switching when the physical interface is configured with encapsulation ethernet-bridge.

  5. Enable configuration of global-level mirror destination properties for this address family:
  6. Specify global-level mirror destination properties for this address family.

    1. Specify the physical interface on which to send the mirrored packets:

      You can also specify an integrated routing and bridging (IRB) interface as the output interface.


    2. (Optional) Allow configuration of filters on the destination interface for the named port-mirroring instance:

  7. (Optional) Specify that any packets selected for mirroring are to be mirrored only once to any mirroring destination:
    Tip:

    Enable the mirror-once option when an MX Series router or an EX Series switch is configured to perform Layer 2 port mirroring at both ingress and egress interfaces, which could result in sending duplicate packets to the same destination (which would complicate the analysis of the mirrored traffic).

  8. Verify the minimum configuration of the global instance of Layer 2 port mirroring:

Layer 2 Port Mirroring Named Instances

This topic describes the following information:

Layer 2 Port Mirroring Named Instances Overview

On an MX Series router and on an EX Series switch, you can define a set of port-mirroring properties that you can explicitly bind to physical ports on the router or switch. This set of port mirroring properties is known as a named instance of Layer 2 port mirroring.

You can bind a named instance of Layer 2 port mirroring to physical ports associated with an MX Series router’s or an EX Series switch’s Packet Forwarding Engine components at different levels of the router (or switch) chassis:

  • At the FPC level—You can bind a named instance to the physical ports associated with a specific Dense Port Concentrator (DPC) or to the physical ports associated with a specific Flexible Port Concentrator (FPC).

  • At the PIC level—You can bind a named instance of port mirroring to a specific Packet Forwarding Engine (on a specific DPC) or to a specific PIC.

Note:

MX Series routers support DPCs as well as FPCs and PICs. Unlike FPCs, DPCs do not support PICs. In the Junos OS CLI, however, you use FPC and PIC syntax to configure or display information about DPCs and the Packet Forwarding Engines on the DPCs.

The following points summarize the behavior of Layer 2 port mirroring based on named instances:

  • The scope of packet selection is determined by the target of the binding—At the ports (or port) bound to a named instance of Layer 2 port mirroring, the router or switch selects input packets according to the packet-selection properties in the named instance.

  • The destination of a selected packet is determined by the packet address family—Of the packets selected, the router or switch mirrors only the packets belonging to an address family for which the named instance of Layer 2 port mirroring specifies a set of mirror destination properties. In a Layer 2 environment, MX Series routers and EX Series switches support port mirroring of VPLS (family ethernet-switching or family vpls) traffic and Layer 2 VPN traffic with family ccc.

For a general description of Layer 2 port-mirroring properties, see Understanding Layer 2 Port Mirroring Properties. For a comparison of the types of Layer 2 port mirroring available on an MX Series router and on an EX Series switch, see Application of Layer 2 Port Mirroring Types.

Mirroring at Ports Grouped at the FPC Level

On an MX Series router and on an EX Series switch, you can bind a named instance of Layer 2 port mirroring to a specific DPC or FPC installed in the router (or switch) chassis. The port mirroring properties in the instance are applied to all Packet Forwarding Engines (and their associated ports) on the specified DPC or to all PICs (and their associated ports) installed in the specified FPC. Port mirroring properties that are bound to a DPC or FPC override any port-mirroring properties bound at the global level or the MX Series router (or switch) chassis.

Mirroring at Ports Grouped at the PIC Level

On an MX Series router and on an EX Series switch, you can bind a named instance of Layer 2 port mirroring to a specific Packet Forwarding Engine or PIC. The port-mirroring properties in that instance are applied to all ports associated with the specified Packet Forwarding Engine or PIC. Port-mirroring properties that are bound to a Packet Forwarding Engine or PIC override any port-mirroring properties bound at the DPC or FPC that contains them.

Note:

For MX960 routers, there is a one-to-one mapping of Packet Forwarding Engines to Ethernet ports. Therefore, on MX960 routers only, you can configure port-specific bindings of port-mirroring instances.

Mirroring at a Group of Ports Bound to Multiple Named Instances

On an MX Series router and on an EX Series switch, you can apply up to two named instances of Layer 2 port mirroring to the same group of ports within the router (or switch) chassis. By applying two different port-mirroring instances to the same DPC, FPC, Packet Forwarding Engine, or PIC, you can bind two distinct Layer 2 port mirroring specifications to a single group of ports.

Note:

You can configure only one global instance of Layer 2 port mirroring on an MX Series router and on an EX Series switch.

Note:

You can configure more than two port mirroring instances for each FPC by configuring inline port mirroring. For information on inline port mirroring, see Configuring Inline Port Mirroring.

Defining a Named Instance of Layer 2 Port Mirroring

On an MX Series router and on an EX Series switch, you can define a set of Layer 2 port-mirroring properties that you can bind to a particular Packet Forwarding Engine (at the PIC level of the router or switch chassis) or to a group of Packet Forwarding Engines (at the DPC or FPC level of the chassis).

To define a named instance of Layer 2 port mirroring on an MX Series router or on an EX Series switch:

  1. Enable configuration of a named instance of Layer 2 port mirroring :
  2. Enable configuration of the packet-sampling properties:
  3. Specify packet-selection properties:

    1. Specify the number of packets to select:

      The valid range is 1 through 65535.


    2. Specify the number of packets to mirror from each selection:

      The valid range is 0 through 20. The default value is 0.

      Note:

      The run-length statement is not supported on MX80 routers.


    3. Specify the length to which mirrored packets are to be truncated:

      The valid range is 0 through 9216. The default value is 0, which means the mirrored packets are not truncated.

      Note:

      The maximum-packet-length statement is not supported on MX80 routers.

  4. Enable configuration of the mirror destination properties for Layer 2 packets that are part of bridging domain, Layer 2 switching cross-connects, or virtual private LAN service (VPLS):

    1. Specify the Layer 2 address family type of traffic to be mirrored:

      The value of the family option can be ethernet-switching, ccc, or vpls.

      Note:

      Under the [edit forwarding-options port-mirroring] hierarchy level, the protocol family statement family ethernet-switching is an alias for family vpls. The command-line interface (CLI) displays Layer 2 port-mirroring configurations as family vpls, even for Layer 2 port-mirroring configured as family ethernet-switching. Use family ethernet-switching when the physical interface is configured with encapsulation ethernet-bridge.


    2. Enable configuration of the mirror destination properties:

  5. Specify mirror destination properties.

    1. Specify the physical interface on which to send the mirrored packets:


    2. (Optional) Allow configuration of filters on the destination interface for the global port-mirroring instance:

      Note:

      You cannot configure port mirroring instances on MX80 routers. You can only configure port mirroring at the global level on MX80 routers.

  6. (Optional) Specify that any packets selected for mirroring are to be mirrored only once to any mirroring destination:
    Tip:

    Enable the global mirror-once option when an MX Series router or an EX Series switch is configured to perform Layer 2 port mirroring at both ingress and egress interfaces, which could result in sending duplicate packets to the same destination (which in turn would complicate the analysis of the mirrored traffic).

  7. To configure a mirroring destination for a different packet family type, repeat steps 4 through 6.
  8. Verify the minimum configuration of the named instances of Layer 2 port mirroring:

Disabling Layer 2 Port Mirroring Instances

You can disable the global instance of Layer 2 port mirroring, a particular named instance, or all instances of port mirroring:

Configuring Inline Port Mirroring

Inline port mirroring provides you with the ability to specify instances that are not bound to the flexible PIC concentrator (FPC) in the firewall filter then port-mirror-instance action. This way, you are not limited to only two port-mirror instances per FPC. Inline port mirroring decouples the port-mirror destination from the input parameters like rate. While the input parameters are programmed in the switch interface board, the next-hop destination of the mirrored packet is available in the packet itself. Inline port mirroring is supported only on Trio-based modular port concentrators (MPCs).

Using inline port mirroring, a port-mirror instance will have an option to inherit input parameters from another instance that specifies it, as shown in the following CLI configuration example:

Multiple levels of inheritance are not allowed. One instance can be referred by multiple instances. An instance can refer to another instance that is defined before it. Forward references are not allowed and an instance cannot refer to itself, doing so will cause an error during configuration parsing.

The user can specify an instance that is not bound to the FPC in the firewall filter. The specified filter should inherit one of the two instances that have been bound to the FPC. If it does not, the packet is not marked for port-mirroring. If it does, then the packet will be sampled using the input parameters specified by the referred instance but the copy will be sent to the its own destination.