Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Port Mirroring and Analyzers

Port Mirroring Overview

Port mirroring and analyzers send network traffic to devices running analyzer applications. A port mirror copies Layer 3 IP traffic to an interface. An analyzer copies bridged (Layer 2) packets to an interface. Mirrored traffic can be sourced from single or multiple interfaces. You can use a device attached to a mirror output interface running an analyzer application to perform tasks such as monitoring compliance, enforcing policies, detecting intrusions, monitoring network performance, correlating events, and other problems on the network.

On routers containing an Internet Processor II application-specific integrated circuit (ASIC) or T Series Internet Processor, port mirroring copies Unicast packets entering or exiting a port or entering a VLAN and sends those copies to a local interface for local monitoring or to a VLAN for remote monitoring. The mirrored traffic is received by applications that help you analyze that traffic.

Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine, where a key is placed in a file or cflowd. Packets based on that key are sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through the specified interface where it can be captured and analyzed in detail.

You can configure both traffic sampling and port mirroring, setting an independent sampling rate and run-length for port-mirrored packets. However, if a packet is selected for both traffic sampling and port mirroring, only port mirroring is executed, as it takes precedence. In other words, if you configure an interface to traffic sample every packet input to the interface and port mirroring also selects that packet to be copied and sent to the destination port, only the port mirroring process is executed. Traffic sampled packets that are not selected for port mirroring continue to be sampled and forwarded to the cflowd server.

You can use port mirroring to copy:

  • All of the packets entering or exiting an interface in any combination. Copies of packets entering some interfaces and packets exiting other interfaces can be sent to the same local interface or VLAN. If you configure port mirroring to copy packets exiting an interface, traffic that originates on that switch or Node device (in a QFabric system) is not copied when it egresses. Only switched traffic is copied on egress. (See the limitation on egress mirroring below.)

  • Any or all packets entering a VLAN. You cannot use port mirroring to copy packets exiting a VLAN.

  • A firewall-filtered sample of packets entering a port or VLAN.

    Note:

    Firewall filters are not supported on egress ports; you cannot specify policy-based sampling of packets exiting an interface.

Analyzer Overview

You can configure an analyzer statement to define both the input traffic and output traffic in the same analyzer configuration. The traffic to be analyzed can be traffic that enters or exits an interface, or traffic that enters a VLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, or VLAN. You can configure an analyzer at the [edit forwarding-options analyzer] hierarchy.

Port-Mirroring Terminology

Table 1 lists the terms used in the documentation about port mirroring and provides definitions.

Table 1: Port Mirroring Terms and Definitions
Term Definition

Analyzer instance

Port-mirroring configuration that includes a name, source interfaces or source VLAN, and a destination for mirrored packets (either a local interface or a VLAN).

Port mirroring instance

Note:

Port mirroring instance is not supported on NFX150 devices.

A port-mirroring configuration that does not specify an input. A firewall filter must be used to send traffic to the port mirror. Use the port-mirror-instance instance-name action in the firewall filter configuration to send packets to the port mirror.

Output interface (also known as the monitor interface)

The interface to where the copies of packets are sent and to which a device running an analyzer is connected.

The following limitations apply to an output interface (the target mirror interface):

  • Cannot also be a source port.

  • Cannot be used for switching.

  • Cannot be an aggregated Ethernet interface (LAG).

  • Cannot participate in Layer 2 protocols, such as Spanning Tree Protocol (STP).

  • Existing VLAN associations are lost when port mirroring is applied to the interface.

  • Packets are dropped if the capacity of the output interface is insufficient to handle the traffic from the mirrored source ports.

Output IP address

IP address of the device running an analyzer application. The device can be on a remote network.

When you use this feature:

  • Mirrored packets are GRE-encapsulated. The analyzer application must be able to de-encapsulate GRE-encapsulated packets or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer application. (You can use a network sniffer to de-encapsulate the packets.)

  • The output IP address cannot be in the same subnetwork as any of the switch management interfaces.

  • If you create virtual routing instances and an analyzer configuration that includes an output IP address, the output IP address belongs to the default virtual routing instance (inet.0 routing table).

Output VLAN (also known as monitor or analyzer VLAN)

VLAN to where copies of the packets are sent and to where a device running an analyzer is connected. The analyzer VLAN can span multiple switches.

The following limitations apply to an output VLAN:

  • Cannot be a private VLAN or VLAN range.

  • Cannot be shared by multiple analyzer statements.

  • Cannot be a member of any other VLAN.

  • Cannot be an aggregated Ethernet interface (LAG).

  • On some switches, only one interface can be a member of the analyzer VLAN. This limitation does not apply on the QFX10000 switch. When ingress traffic is mirrored, multiple QFX10000 interfaces can belong to the output VLAN and traffic is mirrored from all of those interfaces. If egress traffic is mirrored on a QFX10000 switch, only one interface can be a member of the analyzer VLAN.

Input interface (also known as mirrored or monitored interface)

An interface that copies traffic to the mirror interface. This traffic can be entering or exiting (ingress or egress) the interface. A mirrored input interface cannot be used as an output interface to the analyzer device.

Monitoring station

A computer running an analyzer application.

Local port mirroring

A port-mirroring configuration where the mirrored packets are copied to an interface on the same switch.

Remote port mirroring

Mirrored packets are sent to an output (analyzer) VLAN that you create to receive mirror traffic or to a remote IP address. (You cannot send mirrored packets to a remote IP address on a QFabric system.)

Policy-based mirroring

Mirroring of packets that match a firewall filter term. The action analyzer analyzer-name is used in the firewall filter to send specified packets to the analyzer.

Port Mirroring Instance Types

To configure port mirroring, configure an instance of one of the following types:

  • Analyzer instance—Specify the input and output for the instance. This instance type is useful for ensuring that all traffic transiting an interface or entering a VLAN is mirrored and sent to the analyzer.

  • Port-mirroring instance—You create a firewall filter that identifies the desired traffic and copies it to the mirror port. You do not specify an input for this instance type. This instance type is useful for controlling the types of traffic that are mirrored. You can direct traffic to it in the following ways:

    • Specify the name of the port-mirroring instance in the firewall filter by using the port-mirror-instance instance-name action when there are multiple port-mirroring instances defined.

    • Send the mirrored packets to the output interface defined in the instance by using the port-mirror action when there is only one port-mirroring instance defined.

Port Mirroring and STP

The behavior of STP in a port-mirroring configuration depends on the version of Junos OS you are using:

  • Junos OS 13.2X50, Junos OS 13.2X51-D25 or earlier, Junos OS 13.2X52: When STP is enabled, port mirroring might not succeed because STP might block the mirrored packets.

  • Junos OS 13.2X51-D30, Junos OS 14.1X53: STP is disabled for mirrored traffic. You must ensure that your topology prevents loops of this traffic.

Port-Mirroring Performance Limitation

Mirroring only the packets required for analysis reduces the possibility of reducing overall performance. If you mirror traffic from multiple ports, the mirrored traffic might exceed the capacity of the output interface. The overflow packets are dropped. We recommend that you limit the amount of mirrored traffic by selecting specific interfaces and avoid using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter to send specific traffic to the port mirroring instance.

Local and Remote Port Mirroring Constraints and Limitations

The following constraints and limitations apply to local and remote port mirroring:

  • You can create a total of four port-mirroring configurations.

  • Each Node group in a QFabric system is subject to the following constraints:

    • Up to four of the configurations can be used for local port mirroring.

    • Up to three of the configurations can be used for remote port mirroring.

  • Regardless of whether you are configuring a standalone switch or a Node group:

    • There can be no more than two configurations that mirror ingress traffic. If you configure a firewall filter to send mirrored traffic to a port, this counts as an ingress mirroring configuration for the switch or Node group to which the filter is applied.

    • There can be no more than two configurations that mirror egress traffic.

    • On QFabric systems, there is no system-wide limit on the total number of mirror sessions.

  • You can configure only one type of output in one port-mirroring configuration to complete a set analyzer name output statement:

    • interface

    • ip-address

    • vlan

  • Configure mirroring in an analyzer (with set forwarding-options analyzer) on only one logical interface for the same physical interface. If you try to configure mirroring on multiple logical interfaces configured on a physical interface, only the first logical interface is successfully configured; the remaining logical interfaces return configuration errors.

  • If you mirror egress packets, do not configure more than 2000 VLANs on a standalone switch or QFabric system. If you do, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets, not just the mirrored copies.

  • The ratio and loss-priority options are not supported.

  • Packets with physical layer errors are not sent to the output port or VLAN.

  • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit the output interface.

  • You cannot mirror packets exiting or entering the following ports:

    • Dedicated Virtual Chassis interfaces

    • Management interfaces (me0 or vme0)

    • Fibre Channel interfaces

    • Integrated routing and bridging (IRB) interfaces (also known as routed VLAN interfaces or RVIs)

  • An aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to the analyzer by using a firewall filter.

  • When mirrored packets are sent out of an output interface, they are not modified for any changes that might be applied to the original packets on egress, such as CoS rewriting.

  • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.

  • CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.

  • VLAN-based mirroring is not supported for STP traffic.

  • (QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on different Node devices, the mirrored copies will have incorrect VLAN IDs.

    This limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on the same Node device. In this case the mirrored copies will have the correct VLAN IDs (as long as you do not configure more than 2000 VLANs on the QFabric system).

  • True egress mirroring is defined as mirroring the exact number of copies and the exact packet modifications that went out the egress port. Because the processors on QFX5xxx (including QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210) and EX4600 (including EX4600 and EX4650) switches implement egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet modifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the original traffic.

  • If you configure a port-mirroring instance to mirror traffic exiting an interface that performs VLAN encapsulation, the source and destination MAC addresses of the mirrored packets are not the same as those of the original packets.

  • Mirroring on member interfaces of a LAG is not supported.

  • Egress VLAN mirroring is not supported.

Remote Port Mirroring Constraints and Limitations

The following constraints and limitations apply to remote port mirroring:

  • If you configure an output IP address, that address cannot be in the same subnetwork as any of the switch management interfaces.

  • If you create virtual routing instances and you create an analyzer configuration that includes an output IP address, the output IP address belongs to the default virtual routing instance (inet.0 routing table).

  • An output VLAN cannot be a private VLAN or VLAN range.

  • An output VLAN cannot be shared by multiple analyzer statements.

  • An output VLAN interface cannot be a member of any other VLAN.

  • An output VLAN interface cannot be an aggregated Ethernet interface.

  • If the output VLAN has more than one member interface, then traffic is mirrored only to the first member of the VLAN, and other members of the same VLAN do not carry any mirrored traffic.

  • If you attempt to configure more than one analyzer session for remote port mirroring to an IP address (GRE encapsulation) and the IP addresses of the analyzers are reachable through the same interface, then only one analyzer session is configured.

  • The number of possible output interfaces in remote port mirroring varies among the switches in the QFX5K line:

    • QFX5110, QFX5120, QFX5210—Support a maximum of 4 output interfaces

    • QFX5100 and QFX5200—Support a maximum of 3 output interfaces.

  • Whenever any member in a remote port mirroring VLAN is removed from that VLAN, reconfigure the analyzer session for that VLAN.