Configuring Port Mirroring
All Reviewers, this PDF is long, but you only have to pay attention to highlighted text and text between the points marked as Start or Restart and Pause or End for a PR number.
SME reviewers—Please review the highlighted sections called out by either "All SME reviewers" or "<your-platform> reviewers",
PR reviewers—Please review the doc PRs that you originated. ]
Port mirroring is the ability of a router to send a copy of an IPv4 or IPv6 packet to an external host address or a packet analyzer for analysis.
See Feature Explorer for the latest list of supported platforms and Junos releases that support port mirroring.
All SME reviewers: Please review the following new paragraph:
This topic, Configuring Port Mirroring, refers to port mirroring on MX Series and PTX Series routers and EX9200 switches. For specific configuration differences, see examples that pertain to port mirroring on these individual platforms—for example, Example: Configuring Remote Port Mirroring on PTX Routers and Example: Configuring Multiple Port Mirroring with Next-Hop Groups on M, MX and T Series Routers.
Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the packet header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.
[PR1723958 update--START--
We use the term mirrored packet rather than sampled packet in this document. Port mirroring is a type of sampling.
One application for port mirroring sends a duplicate packet to a virtual tunnel. A next-hop group can then be configured to forward copies of this duplicate packet to several interfaces. For more information about next-hop groups, see https://www.juniper.net/documentation/us/en/software/junos/sampling-forwarding-monitoring/topics/concept/policy-configuring-next-hop-groups.htmlConfiguring Next-Hop Groups to Use Multiple Interfaces to Forward Packets Used in Port Mirroring.
PR1723958 update--PAUSE]
[PTX and EX9200 SME reviewers: Are the following statements—up to the next heading, Port Mirroring Configuration Guidelines—true for PTX and EX9200?]
All MX Series 5G Universal Routing Platforms support port mirroring for IPv4 or IPv6.
Port mirroring for VPLS traffic is supported on MX Series routers.
Port mirroring is supported for Layer 2 traffic on MX Series routers. For information about how to configure port mirroring for Layer 2 traffic, see the Network Management and Monitoring Guide.
In the MPCs on MX Series routers, GRE and MPLS header information is not contained in the port-mirrored traffic corresponding to MPLS packets transmitted through IP-GRE tunnels.
[PR1730861 START--
PTX Reviewers, I deleted the following statement from the topic because several platforms and all the named line cards are EOL—
PTX1K, PTX10002, PTX5K, PTX3K, and PTX10K platforms with first-generation line cards (LC1101, LC1102, LC1104 and LC1105) do not support egress port mirroring.
[Also, same reviewers, the PR asks for more info re configuring port mirroring on PTX10001-MR. Please see Example: Configuring Remote Port Mirroring on PTX Routers
.]
[PR1730861 END]
Port Mirroring Configuration Guidelines
[MX, PTX, and EX9200 SME reviewers: Are the following config guidelines also true for PTX and EX9200?]
When configuring port mirroring, the following restrictions apply:
-
Only transit data is supported.
-
The port mirror output interface MTU value should be big enough to accommodate the mirrored packets.
-
[PR1723958 update--RESTART –-changed to "port mirror output interface" from "port mirror or analyzer output interface"
PR1723958 update--PAUSE]
A standalone trunk port is not supported as a port mirror output interface for MX Series routers and EX9200 switches. If you want to use a trunk port as a mirror output port, you must use a bridge domain (MX) or a VLAN (EX) as port mirror output, then attach the trunk port to the respective bridge domain or VLAN as an output port.
-
You can configure port mirroring for IPv4 and IPv6 simultaneously on the MX Series routers.
-
Port mirroring in the ingress and egress direction is not supported for link services IQ (lsq-) interfaces.
-
Ingress filtering of multicast packets is supported on all Dense Port Concentrators (DPCs) in MX Series routers. Egress filtering of multicast packets is supported for interfaces on MPCs in MX Series routers. Filtering of multicast packets based on destination address is not supported for interfaces on I-chip ASIC-based DPCs in MX Series routers.
For Layer 3 port mirroring (
family inetandfamily inet6), if the traffic being mirrored is multicast (in other words, if the packet's destination IP address is a multicast address), the destination MAC address in the mirrored copy corresponds to this multicast destination IP address and not to the unicast MAC address specified in the[edit forwarding-options port-mirroring family (inet | inet6) output]configuration. -
By default, firewall filters cannot be applied to port-mirroring destination interfaces. To enable port-mirroring destination interfaces to support firewall filters, use the
no-filter-checkstatement to disable filter checking on the interfaces. You can include theno-filter-checkstatement at the following hierarchy levels:-
[edit forwarding-options port-mirroring family (inet | inet6 | ccc | vpls) output] -
[edit forwarding-options port-mirroring instance instance-name family (inet | ccc | vpls) output]
-
-
You must include a firewall filter with both the
acceptaction and theport-mirroraction modifier on the inbound interface. -
The interface you configure for port mirroring should not participate in any kind of routing activity.
-
[PR1723958 update--RESTART---changed to "mirrored ...packets" from "sampled … packets", 2X]
The destination address you specify should not have a route to the ultimate traffic destination. For example, if the mirrored IPv4 packets have a destination address of
192.68.9.10and the port-mirrored traffic is sent to192.68.20.15for analysis, the device associated with the latter address should not know a route to192.68.9.10. Also, it should not send the mirrored packets back to the source address.[PR1723958 update--PAUSE]
-
MX Series routers support more than one port-mirroring interface per router.
-
You can configure multiple port-mirroring instances on MX Series routers.
-
You can specify both host (cflowd) sampling and port mirroring in the same configuration. You can perform Routing Engine–sampling and port mirroring actions simultaneously. However, you cannot perform PIC-sampling and port mirroring actions simultaneously.
-
[PR1723958 update--RESTART---changed to "mirrored ...packets" from "sampled … packets",1X].
In typical applications, you send the mirrored packets to an analyzer or a workstation for analysis, not to another router. If you must send this traffic over a network, you should use tunnels.
[PR1723958 update--PAUSE]
[PR1744110 START]
-
On PTX Series routers that support port mirroring, IPv4 packets are dropped if the packet length exceeds the configured maximum packet length.
[PR1744110 END---But see more text entries for this PR in the last topic in this document, Example: Configuring Port Mirroring with Family any and a Firewall Filter.]
In a firewall filter configured with a port-mirror-instance or
port-mirror action, if l2-mirror action is
also configured, then port-mirroring instance family should be
any. In the absence of the l2-mirror
action, port-mirroring instance family should be the firewall filter family.
In the following example, port-mirroring instance pm1 is
inet, which is the firewall filter family, and because
l2-mirror action is not present.
set chassis network-services enhanced-ip set interfaces xe-0/0/0:0 encapsulation extended-vlan-bridge set interfaces xe-0/0/0:0 unit 0 family bridge interface-mode access set interfaces xe-0/0/0:0 unit 0 family bridge vlan-id 100 set forwarding-options port-mirroring instance pm1 input rate 1 set forwarding-options port-mirroring instance pm1 family inet output interface xe-0/0/0:0.0 set firewall family inet filter f1 term t1 from source-address 10.1.1.1/32 set firewall family inet filter f1 term t1 from source-address 10.1.1.2/32 set firewall family inet filter f1 term t1 then count t1 set firewall family inet filter f1 term t1 then port-mirror-instance pm1 set firewall family inet filter f1 term t1 then accept
In the following example, because l2-mirror action is also
present alongside port-mirror-instance action,
port-mirroring instance pm1 family is
any.
set chassis network-services enhanced-ip set interfaces xe-0/0/0:0 unit 0 family bridge interface-mode access set interfaces xe-0/0/0:0 unit 0 family bridge vlan-id 100 set forwarding-options port-mirroring instance pm1 input rate 1 set forwarding-options port-mirroring instance pm1 family any output interface xe-0/0/0:0.0 set firewall family inet filter f1 term t1 from source-address 10.1.1.1/32 set firewall family inet filter f1 term t1 from source-address 10.1.1.2/32 set firewall family inet filter f1 term t1 then count t1 set firewall family inet filter f1 term t1 then port-mirror-instance pm1 set firewall family inet filter f1 term t1 then l2-mirror set firewall family inet filter f1 term t1 then accept
[MX, PTX, and EX9200 SME reviewers: This is the endpoint of "Port Mirroring Configuration Guidelines."]
Configuring Port Mirroring
To configure port mirroring, include the port-mirroring statement at
the [edit forwarding-options] hierarchy level:
[edit forwarding-options] port-mirroring { family (ccc | inet | inet6 | vpls) { output { interface interface-name { next-hop address; } no-filter-check; } input { maximum-packet-length bytes; rate number; run-length number; } } }
- Configuring the Port-Mirroring Address Family and Interface
- Configuring MX Series Routers to Mirror Traffic Only Once
Configuring the Port-Mirroring Address Family and Interface
[PR1723958 update--RESTART---I changed "traffic to sample" to "traffic to mirror" —
To configure port mirroring, include the port-mirroring
statement. To configure the address family type of traffic to
mirror,
include the family statement. To configure the rate of
sampling, length of sampling, and the maximum size for the mirrored packet,
include the input statement. To specify on which interface to
send duplicate packets and the next-hop address to send packets, include the
output statement. To determine whether there are any
filters on the specified interface, include the no-filter-check
statement.
[PR1723958 update--PAUSE]
For information about the rate and run-length
statements, see
Configuring Traffic Sampling.
Configuring MX Series Routers to Mirror Traffic Only Once
[PR1723958 update--RESTART---changed "sampled" to "mirrored". ]
On MX Series
routers, you can
configure port mirroring so that the router mirrors traffic only once. If you
configure port mirroring on both ingress and egress interfaces, the same packet
could be mirrored twice. To mirror packets only once and prevent the router from
sending duplicate
mirrored
packets to the same mirroring destination, include the
mirror-once statement at the [edit
forwarding-options port-mirroring] hierarchy level:
[PR1723958 update--PAUSE]
[edit forwarding-options port-mirroring] mirror-once;
The mirror-once statement is supported only in the global
port-mirroring instance.
Configuring Port-Mirroring Instances
Instances enable you to mirror packets to different destinations from the same PFE and also use different sampling parameters for each instance.
You can configure multiple port-mirroring instances on MX Series routers. For information about configuring multiple port-mirroring instances, see the Network Management and Monitoring Guide.
To configure a port-mirroring instance, include the instance
port-mirroring-instance statement at the
[edit forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring] instance port-mirroring-instance-name { family (ccc | inet | inet6 | vpls) { output { interface interface-name { next-hop address; } no-filter-check; } } input { maximum-packet-length bytes; rate number; run-length number; } }
Associating a Port-Mirroring Instance with an FPC or a PIC on MX Series Routers
[PR1723958 RESTART---see highlighted text in the paras immediately below.]
You must associate port-mirroring instances with FPCs or PICs. You can associate a port-mirroring instance with a specific FPC or with a specific PIC on an MX Series router. "Associating" a port-mirroring instance to an FPC or a PIC is sometimes referred to as "binding" the instance to the FPC or PIC.
A PIC-level instance overrides an FPC-level instance, and an FPC-level instance overrides a global instance.
The number of instances supported are:
- On an MX DPC, a maximum of 2 instances can be bound to (associated with) a PIC. Because you can can have 4 PICs per FPC, each FPC supports 8 instances.
- On an MX MPC, a maximum of 2 instances are supported and they can only be
bound at the FPC level under the
[edit chassis]configuration hierarchy.
To check the association of port-mirroring instances with an FPC, issue the
configuration-mode command show chassis fpc
fpc-number.
To associate a port-mirroring instance with an FPC or PIC on an MX Series router,
you must include the port-mirror-instance
port-mirroring-instance-name statement at
the [edit chassis fpc slot-number] hierarchy
level (replace fpc with pic to configure the
binding on a PIC).
[edit chassis]
fpc slot-number {
port-mirror-instance port-mirroring-instance-name;
}
You do not need to include this [edit chassis]
configuration in a global port-mirroring configuration.
[PR1723958 END]
For slot-number, specify the slot number of
the FPC or PIC you want to associate with the port-mirroring instance. For
port-mirroring-instance-name,
specify the name of a port-mirroring instance you configured at the
[edit forwarding-options port-mirroring] hierarchy level.
Platform-Specific Behavior
Use Feature Explorer to confirm platform and release support for specific features.
Use the following tables to review platform-specific behavior for your platform:
|
Platform |
Difference |
|---|---|
|
PTX Series of Routers |
The |