Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Port Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX Series Switches

EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

• Packets entering or exiting a port
• Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, or EX6200 switches
• Packets exiting a VLAN on EX8200 switches

Note: The feature of mirroring traffic to multiple VLAN interfaces is available only on EX8200 switches.

You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN so that you can perform analysis from a remote monitoring station. The remote-analyzer VLAN in this example contains multiple member interfaces. Therefore, the same traffic is mirrored to all member interfaces of the remote-analyzer VLAN so that mirrored packets can be sent to different remote monitoring stations. You can install applications, such as sniffers and intrusion detection systems, on remote monitoring stations to analyze these mirrored packets and to obtain useful statistical data. For instance, if there are two remote monitoring stations, you can install a sniffer on one remote monitoring station and an intrusion detection system on the other station. You can use a firewall filter analyzer configuration to forward a specific type of traffic to a remote monitoring station.

Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you: Disable your configured port mirroring analyzers when you are not using them. Specify individual interfaces as input to analyzers rather than specifying all interfaces as input. Limit the amount of mirrored traffic by: Using statistical sampling. Setting ratios to select statistical samples. Using firewall filters.

This example describes how to configure remote port mirroring to multiple interfaces on an analyzer VLAN:

Requirements

• Junos OS Release 9.5 or later for EX Series switches
• Three EX8200 switches

Before you configure remote port mirroring, be sure that:

• You have an understanding of port-mirroring concepts.
• The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This example describes how to configure port mirroring to multiple interfaces in the remote-analyzer VLAN so that traffic is sent to different remote monitoring stations for analysis.

Figure 1 shows the network topology for this example.

Figure 1: Remote Port Mirroring Example Network Topology Using Multiple VLAN Member Interfaces

• Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.
• Interfaces ge-0/0/10 and ge-0/0/11 are Layer 2 interfaces that are connected to different destination switches.
• Interface ge-0/0/12 is a Layer 2 interface that connects the Destination 1 switch to the remote monitoring station.
• Interface ge-0/0/13 is a Layer 2 interface that connects the Destination 2 switch to the remote monitoring station.
• VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic to Multiple VLAN Member Interfaces for Remote Analysis

To configure port mirroring to multiple VLAN member interfaces for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks:

CLI Quick Configuration

To quickly configure port mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

• In the source switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk

  set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999

  set vlans remote-analyzer interface ge-0/0/10 egress

  set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

  set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 999

  set vlans remote-analyzer interface ge-0/0/11 egress

  set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0

  set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0

  set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0

  set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0

  set ethernet-switching-options analyzer employee-monitor loss-priority high

  set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer
• In the Destination 1 switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk

  set vlans remote-analyzer interface ge-0/0/10 ingress

  set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode trunk

  set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer

  set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/12.0
• In the Destination 2 switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

  set vlans remote-analyzer interface ge-0/0/11 ingress

  set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk

  set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer

  set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/13.0

Step-by-Step Procedure

1. On the source switch:
   • Configure the VLAN tag ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the interfaces on the network port connected to destination switches for trunk mode and associate it with the remote-analyzer VLAN:
     [edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
user@switch# set ge-0/0/11 unit 0 family ethernet-switching vlan members 999
   • Configure ge-0/0/10 and ge-0/0/11 for egress-only traffic so that traffic can only exit from the interface:
     [edit vlans]
user@switch# set remote-analyzer interface ge-0/0/10 egress
user@switch# set remote-analyzer interface ge-0/0/11 egress
   • Configure the employee-monitor analyzer:
     [edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
user@switch# set analyzer employee-monitor input egress interface ge-0/0/0.0
user@switch# set analyzer employee-monitor input egress interface ge-0/0/1.0
user@switch# set analyzer employee-monitor loss-priority high
user@switch# set analyzer employee-monitor output vlan remote-analyzer
2. On the Destination 1 switch:
   • Configure the VLAN tag ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the ge-0/0/10 interface on the Destination 1 switch for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only:
     [edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
user@switch# set vlans remote-analyzer interface ge-0/0/10 ingress
   • Configure the interface connected to the remote monitoring station for trunk mode:
     [edit interfaces]
user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode trunk
   • Configure the employee-monitor analyzer:
     [edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer
user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/12.0
3. On the Destination 2 switch:
   • Configure the VLAN tag ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the ge-0/0/11 interface on the Destination 2 switch for trunk mode, associate it with the remote-analyzer VLAN, and set the interface only for ingress traffic:
     [edit interfaces]
user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
user@switch# set vlans remote-analyzer interface ge-0/0/11 ingress
   • Configure the interface connected to the remote monitoring station for trunk mode:
     [edit interfaces]
user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
   • Configure the employee-monitor analyzer:
     [edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer
user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/13.0

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the Destination 1 switch:

Check the results of the configuration on the Destination 2 switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying That the Analyzer Has Been Correctly Created

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

	Analyzer name                : employee-monitor
	Output VLAN                  : remote-analyzer 
	Mirror ratio                 : 1
	Loss priority                : High 
	Ingress monitored interfaces : ge-0/0/0.0
	Ingress monitored interfaces : ge-0/0/1.0

Meaning

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), has a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and is sending the mirrored traffic to the analyzer called remote-analyzer.