Supported Platforms
Related Documentation
- EX Series
- Example: Configuring Mirroring for Local Monitoring of Employee Resource Use on EX4300 Switches
- Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use on EX4300 Switches
- Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)
- Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
Understanding Port Mirroring and Analyzers on EX4300 Switches
 | Note: This concept uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Understanding Port Mirroring on EX Series Switches. For ELS details, see Getting Started with Enhanced Layer 2 Software. |
Mirroring might be needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to every port on the destination device. The switch sends packets only to the port to which the destination device is connected.
Juniper Networks EX4300 Ethernet Switches support the following mirroring methods: port mirroring and analyzers. You can use port mirroring or analyzers to facilitate analyzing traffic on EX4300 switches at the packet level. You might use analyzers as part of monitoring switch traffic for such purposes as enforcing policies concerning network usage and file sharing and for identifying sources of problems on your network by locating abnormal or heavy bandwidth usage by particular stations or applications.
Mirrored packets can be copied either to a local interface for local monitoring or to a VLAN for remote monitoring. The following packets can be copied:
- Packets entering or exiting a port—You can mirror the packets in any combination of packets entering or exiting ports on up to 256 ports. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.
- Packets entering a VLAN—You can mirror the packets entering a VLAN to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as ingress input to an analyzer.
- Policy-based sample packets—You can mirror a policy-based sample of packets that are entering a port or a VLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored. You can send the sample to a port-mirroring instance or to an analyzer VLAN.
This topic describes:
Port Mirroring Overview
You configure port mirroring on an EX4300 switch to send copies of unicast traffic to an output destination such as an interface, a routing-instance, or a VLAN. Then, you can analyze the mirrored traffic by using a protocol analyzer application. The protocol analyzer application can run either on a computer connected to the analyzer output interface or on a remote monitoring station. For the input traffic, you can configure a firewall filter term to specify whether port mirroring must be applied to all packets at the interface to which the firewall filter is applied. You can apply a firewall filter configured with the action port-mirror or port-mirror-instance name to the input or output logical interfaces (including aggregated Ethernet logical interfaces), to traffic forwarded or flooded to a VLAN, or traffic forwarded or flooded to a VPLS routing instance. EX4300 switches support port mirroring of VPLS (family ethernet-switching or family vpls) traffic and VPN traffic with family ccc in a Layer 2 environment. Within a firewall filter term, you can specify the port-mirroring properties under the then statement in either of the following ways:
- Implicitly reference the port-mirroring properties in effect on the port.
- Explicitly reference a particular named instance of port mirroring.
You can configure port mirroring at the [edit forwarding-options port-mirroring] hierarchy level.
Analyzer Overview
You can configure an analyzer to define both the input traffic and output traffic in the same analyzer configuration. The input traffic to be analyzed can be traffic that enters or exits an interface, or traffic that enters a VLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, or VLAN. You can configure an analyzer at the [edit forwarding-options analyzer] hierarchy.
Port Mirroring and Analyzer Terminologies
Table 1 lists some port mirroring terms and their descriptions.
Table 1: Mirroring Terminologies
| Term | Description |
|---|---|
Analyzer | In a mirroring configuration (analyzer) on an EX4300 switch, the analyzer includes:
|
Analyzer output interface (Also known as monitor port) | Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected. Note: Interfaces used as output for an analyzer must be configured under the ethernet-switching family. Analyzer output interfaces have the following limitations:
|
Analyzer VLAN (Also known as monitor VLAN) | VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN are spread across the switches in your network. |
Port mirroring | A port-mirroring configuration that does not specify an input source; it specifies only an output destination. A firewall filter configuration must be defined for the input source. A firewall filter configuration must be defined to mirror packets that match the match conditions defined in the firewall filter term. The action item port-mirror-instance instance-name in the firewall filter configuration is used to send packets to the analyzer and these packets form the input source. |
Global port mirror | A port mirroring configuration that does not have an instance name. The firewall filter action port-mirror will be the action for the firewall filter configuration. |
Input interface (Also known as mirrored ports or monitored interfaces) | An interface on the switch that is being mirrored. Traffic that is either entering or exiting this interface is mirrored. |
LAG-based analyzer | An analyzer that has a link aggregation group (LAG) specified as the input (ingress) interface in the analyzer configuration. |
Local mirroring | An analyzer configuration in which packets are mirrored to a local analyzer port. |
Monitoring station | A computer running a protocol analyzer application. |
Native analyzer session | An analyzer session that has both input and output definitions in its analyzer configuration. |
Policy-based mirroring (Also known as port mirroring) | Mirroring of packets that match the match items in the defined firewall filter term. The action item port-mirror-instance instance-name is used in the firewall filter to send the packets to the monitor port. |
Port-based analyzer | An analyzer session whose configuration defines interfaces for both input and output. |
Protocol analyzer application | An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe. |
Remote port mirroring | Functions the same way as local port mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic. |
VLAN-based analyzer | An analyzer session whose configuration uses VLANs for both input and output or for either input or output. |
Configuration Guidelines for Port Mirroring and Analyzers on EX4300 Switches
When you configure port mirroring or analyzers on EX4300 switches, we recommend that you follow certain guidelines to ensure that you obtain optimum benefit from mirroring. Additionally, we recommend that you disable mirroring when you are not using it and that you select specific interfaces for which packets must be mirrored (that is, select specific interfaces as input to the analyzer) in preference to using the all keyword option, which will enable mirroring on all interfaces. Mirroring only the necessary packets reduces any potential performance impact.
With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.
Table 2 summarizes further configuration guidelines for mirroring on EX4300 switches.
Table 2: Configuration Guidelines for Port Mirroring and Analyzers on EX4300 Switches
Guideline | Value or Support Information | Comment |
|---|---|---|
Number of VLANs that you can use as ingress input to an analyzer. | 256 | |
Number of port-mirroring sessions and analyzers that you can enable concurrently. | 4 |
|
Types of ports on which you cannot mirror traffic. |
| |
Protocol families that you can include in a port-mirroring configuration for remote traffic. | any | |
Traffic directions that you can configure for mirroring on ports in firewall-filter–based configurations. | Ingress only | |
Mirrored packets exiting an interface reflect rewritten class-of-service (CoS) DSCP or 802.1p bits. | Applicable | |
Packets with physical layer errors are not sent to the local or remote analyzer. | Applicable | Packets with these errors are filtered out and thus are not sent to the analyzer. |
Port mirroring does not support line-rate traffic. | Applicable | Port mirroring for line-rate traffic is done on a best-effort basis. |
Mirroring of packets egressing a VLAN. | Not supported | |
Port-mirroring or analyzer output on a LAG interface. | Supported | |
Maximum number of child members on a port-mirroring or analyzer output LAG interface. | 8 | |
Maximum number of interfaces in a remote port-mirroring or analyzer VLAN. | 1 | |
Egress mirroring of host-generated control packets. | Not Supported | |
Configuring Layer 3 logical interfaces in the input stanza of an analyzer. | Not supported | This functionality can be achieved by configuring port mirroring. |
The analyzer input and output stanzas containing members of the same VLAN or the VLAN itself must be avoided. | Applicable |
Related Documentation
- EX Series
- Example: Configuring Mirroring for Local Monitoring of Employee Resource Use on EX4300 Switches
- Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use on EX4300 Switches
- Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)
- Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
Published: 2014-04-24
Supported Platforms
Related Documentation
- EX Series
- Example: Configuring Mirroring for Local Monitoring of Employee Resource Use on EX4300 Switches
- Example: Configuring Mirroring for Remote Monitoring of Employee Resource Use on EX4300 Switches
- Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)
- Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
