Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Port Mirroring Local and Remote Analysis

Configuring Port Mirroring

You use port mirroring to copy packets and send the copies to a device running an application such as a network analyzer or intrusion detection application so that you can analyze traffic without delaying it. You can mirror traffic entering or exiting a port or entering a VLAN, and you can send the copies to a local access interface or to a VLAN through a trunk interface.

We recommend that you disable port mirroring when you are not using it. To avoid creating a performance issue If you do enable port mirroring, we recommend that you select specific input interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter.

Note:

This task uses the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Port Mirroring. For ELS details, see Using the Enhanced Layer 2 Software CLI.

Note:

If you want to create additional analyzers without deleting an existing analyzer, first disable the existing analyzer by using the disable analyzer analyzer-name command.

Note:

You must configure port mirroring output interfaces as family ethernet-switching.

Configuring Port Mirroring for Local Analysis

To mirror interface traffic to a local interface on the switch:

  1. If you want to mirror traffic that is ingressing or egressing specific interfaces, choose a name for the port-mirroring configuration and configure what traffic should be mirrored by specifying the interfaces and direction of traffic:
    Note:

    If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs. If you do so, some VLAN packets might contain incorrect VLAN IDs.

    Note:

    If you configure mirroring for packets that egress an access interface, the original packets lose any VLAN tags when they exit the access interface, but the mirrored (copied) packets retain the VLAN tags when they are sent to the analyzer system.

  2. If you want to specify that all traffic entering a VLAN should be mirrored, choose a name for the port-mirroring configuration and specify the VLAN:
    Note:

    You cannot configure port mirroring to copy traffic that egresses a VLAN.

  3. Configure the destination interface for the mirrored packets:

Configuring Port Mirroring for Remote Analysis

To mirror traffic to a VLAN for analysis at a remote location:

  1. Configure a VLAN to carry the mirrored traffic:
  2. Configure the interface that connects to another switch (the uplink interface) to trunk mode and associate it with the appropriate VLAN:
  3. Configure the analyzer:
    1. Choose a name for the analyzer:
    2. Specify the interface to be mirrored and whether the traffic should be mirrored on ingress or egress:
    3. Specify the appropriate IP address or VLAN as the output (a VLAN is specified in this example:

      If you specify an IP address as the output, note the following constraints:

      • The address cannot be in the same subnetwork as any of the switch management interfaces.

      • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).

      • The analyzer device must be able to de-encapsulate GRE-encapsulated packets, or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer device. (You can use a network sniffer to de-encapsulate the packets.)

Filtering the Traffic Entering an Analyzer

Note:

This functionality is not supported on NFX150 devices.

In addition to specifying which traffic to mirror by configuring an analyzer, you can also use a firewall filter to exercise more control over which packets are copied. For example, you might use a filter to specify that only traffic from certain applications be mirrored. The filter can use any of the available match conditions and must have an action of modifier of port-mirror-instance instance-name. If you use the same analyzer in multiple filters or terms, the output packets are copied only once.

When you use a firewall filter as the input to a port-mirroring instance, you send the copied traffic to a local interface or a VLAN just as you do when a firewall is not involved.

To configure port mirroring with filters:

  1. Configure a port-mirroring instance for local or remote analysis. Configure only the output. For example, for local analysis enter:
    Note:

    You cannot configure input to this instance.

  2. Create a firewall filter using any of the available match conditions. In a then term, specify include the action modifier port-mirror-instance instance-name.
  3. Apply the firewall filter to the interfaces or VLAN that should provide the input to the analyzer:

Configuring Port Mirroring on SRX Series Firewalls

To configure port mirroring on an SRX device, you must first configure the forwarding-options and interfaces at the [edit] hierarchy level.

You must configure the forwarding-options statement to define an instance of the mirror-to port for port mirroring and also configure the interface to be mirrored.

Note:

The mirrored port and the mirror-to port must be under the same Broadcom chipset in an I/O card.

To configure port mirroring:

  1. Specify the rate and run-length at the [edit forwarding-options port-mirroring input] hierarchy level:
    Note:
    • rate: Ratio of packets to be sampled (1 out of N) (1 through 65535)

    • run-length: Number of samples after initial trigger (0 through 20)

  2. To send the copies of the packet to the mirror-to port, include the interface intf-name statement at the [edit forwarding-options port-mirroring family any output] hierarchy level.
    Note:

    Port mirroring on SRX Series Firewalls uses family any to transfer the mirror-to port information to the Packet Forwarding Engine (PFE). The mirroring engine copies all the packets from mirrored port to the mirror-to port.

Note:

You can configure an instance clause to specify multiple mirror-to ports.

To mirror an interface, include the port-mirror-instance statement at the [edit interface mirrored-intf-name] hierarchy level.

The mirrored interface is configured with an instance name, defined in the forwarding-options. The mirrored port and the mirror-to port are linked through that instance.

Note:

Port mirroring on SRX Series Firewalls does not differentiate the traffic direction, but mirrors the ingress and egress samples together.

A sample configuration for port mirroring is shown below:

Examples: Configuring Port Mirroring for Local Analysis

Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies to a local interface for local monitoring.

Note:

This example uses the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI.

This example describes how to configure port mirroring to copy traffic sent by employee computers to a switch to an access interface on the same switch.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 13.2

  • A switch

Overview and Topology

This topic includes two related examples that describe how to mirror traffic entering interfaces on the switch to an access interface on the same switch. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.

Topology

In this example, xe-0/0/0 and xe-0/0/6 serve as connections for employee computers. Interface xe-0/0/47 is connected to a device running an analyzer application.

Note:

Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Figure 1 shows the network topology for this example.

Figure 1: Network Topology for Local Port Mirroring ExampleNetwork Topology for Local Port Mirroring Example

Example: Mirroring All Employee Traffic for Local Analysis

To configure port mirroring for all traffic sent by employee computers for local analysis, perform the tasks explained in this section.

Procedure

CLI Quick Configuration

To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

To configure an analyzer called employee-monitor and specify the input (source) interfaces and the output interface:

  1. Configure the interfaces connected to employee computers as input interfaces for the port-mirror analyzer employee-monitor:

  2. Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets:

Results

Check the results of the configuration:

Example: Mirroring Employee Web Traffic with a Firewall Filter

Requirements

This example uses the following hardware and software components:

  • One QFX5100 switch

  • Junos OS Release 14.1X53-D30

Overview

Rather than mirror all traffic, it is usually desirable to mirror only certain traffic. This is a more efficient use of your bandwidth and hardware and might be necessary due to constraints on these assets. To select specific traffic for mirroring, you use a firewall filter to match the desired traffic and direct it to a port-mirroring instance. The port-mirroring instance then copies the packets and sends them to the output VLAN, interface, or IP address.

Configuring

To specify that the only traffic that will be mirrored is traffic sent by employees to the Web, perform the tasks explained in this section. To select this traffic for mirroring, you use a firewall filter to specify this traffic and direct it to a port-mirroring instance.

Procedure

CLI Quick Configuration

To quickly configure local port mirroring of traffic from employee computers that is destined for the Web, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

To configure local port mirroring of employee-to-web traffic from the two ports connected to employee computers:

  1. Configure the output interface:

  2. Configure the employee-web-monitor output interface. (Configure only the output—the input comes from the filter.)

  3. Configure a firewall filter called watch-employee that includes a term to match traffic sent to the Web and send it to the port-mirroring instance employee-web-monitor. Traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28) does not need to be copied, so create another term to accept that traffic before it reaches the term that sends Web traffic to the instance:

  4. Apply the firewall filter to the appropriate interfaces as an ingress filter (egress filters do not allow analyzers):

Results

Check the results of the configuration:

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the port-mirroring instance named employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

You can verify that the port mirror port-mirroring instance has been configured as expected by using the show forwarding-options port-mirroring command.

Meaning

This output shows the following information about the port-mirroring instance employee-web-monitor:

  • Has a rate of 1 (mirroring every packet, the default setting)

  • The number of consecutive packets sampled (run-length) is 0

  • The maximum size of the original packet that was mirrored is 0 (0 indicates the entire packet)

  • The state of the output parameters: up indicates that the instance is mirroring the traffic entering the xe-0/0/0 and xe-0/0/6 interfaces, and is sending the mirrored traffic to the xe-0/0/47 interface

If the state of the output interface is down or if the output interface is not configured, the state value will be down and the instance will not be programmed for mirroring.

Example: Configuring Port Mirroring for Remote Analysis

Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies either to a local interface for local monitoring or to a VLAN for remote monitoring. This example describes how to configure port mirroring for remote analysis.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 13.2 for the QFX Series

  • A switch

Overview and Topology

This topic includes two related examples that describe how to mirror traffic entering ports on the switch to an analyzer VLAN so that you can perform analysis using a remote device. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.

Topology

In this example:

  • Interfaces ge-0/0/0 and ge-0/0/1 are Layer 2 interfaces that connect to employee computers.

  • Interface ge-0/0/2 is a Layer 2 interface that connects to another switch.

  • VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Note:

In addition to performing the configuration steps described here, you must also configure the analyzer VLAN (remote-analyzer in this example) on the other switches that are used to connect the source switch (the one in this configuration) to the one that the monitoring station is connected to.

Mirroring All Employee Traffic for Remote Analysis

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the edit hierarchy level:

Step-by-Step Procedure

To configure basic remote port mirroring:

  1. Configure the analyzer VLAN (called remote-analyzer in this example):

  2. Configure the interface connected to another switch for trunk mode and associate it with the remote-analyzer VLAN:

  3. Configure the employee-monitor analyzer:

  4. Configure the remote-analyzer VLAN on the switches that connect this switch to the monitoring workstation.

Results

Check the results of the configuration:

Mirroring Employee-to-Web Traffic for Remote Analysis

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the edit hierarchy level:

Procedure

Step-by-Step Procedure
  1. Configure the analyzer VLAN (called remote-analyzer in this example):

  2. Configure an interface to associate it with the remote-analyzer VLAN:

  3. Configure the employee-web-monitor analyzer. (Configure only the output—the input comes from the filter.)

  4. Configure a firewall filter called watch-employee to match traffic sent to the Web and send it to the analyzer employee-web-monitor:

  5. Apply the firewall filter to the appropriate interfaces as an ingress filter:

  6. Configure the remote-analyzer VLAN on the switches that connect this switch to the monitoring workstation.

Results

Check the results of the configuration:

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

You can verify the port mirror analyzer is configured as expected using the show analyzer command.

Meaning

This output shows that the employee-monitor analyzer is mirroring the traffic entering ge-0/0/0 and ge-0/0/1 and is sending the mirror traffic to the analyzer remote-analyzer.