Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding Port Mirroring

Port Mirroring Overview

Port mirroring copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface for local monitoring or to a VLAN for remote monitoring. Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on.

Port mirroring is needed for traffic analysis on a switch because a switch normally sends packets only to the port to which the destination device is connected. You configure port mirroring on the switch to send copies of unicast traffic to a local interface or a VLAN and run an analyzer application on a device connected to the interface or VLAN. You configure port mirroring by using the analyzer statement.

Keep performance in mind when configuring port mirroring. For example, If you mirror traffic from multiple ports, the mirrored traffic may exceed the capacity of the output interface. We recommend that you limit the amount of copied traffic by selecting specific interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter to send specific traffic to a port mirroring instance. Mirroring only the necessary packets reduces the possibility of a performance impact.

• All packets entering or exiting an interface (in any combination)—For example, you can send copies of the packets entering some interfaces and the packets exiting other interfaces to the same local interface or VLAN. If you configure port mirroring to copy packets exiting an interface, traffic that originates on that switch or Node device (in a QFabric system) is not copied when it egresses. Only switched traffic is copied on egress. (See the limitation on egress mirroring below.)
• All packets entering a VLAN—You cannot use port mirroring to copy packets exiting a VLAN.
• Firewall-filtered sample—Sample of packets entering a port or VLAN. Configure a firewall filter to select certain packets for mirroring.

  Note: Firewall filters are not supported on egress ports; therefore, you cannot specify policy-based sampling of packets exiting an interface.

Port Mirroring Instance Types

To configure port mirroring, you configure an instance of one of the following types:

• Analyzer instance: You must specify the input and output for the instance. This instance type is useful for ensuring that all traffic transiting an interface or VLAN is mirrored and sent to the analyzer device.
• Port-mirroring instance: You do not specify an input for this instance type. Instead, you, create a firewall filter that specifies the required traffic and directs it to the mirror. This instance type is useful for controlling which types of traffic should be mirrored. When you use a port-mirroring instance, you can direct traffic to it in the following ways:
  • Specify the name of the port-mirroring instance in the firewall filter using the port-mirror-instance instance-name firewall action. You should use this approach if there are multiple port-mirroring instances defined.
  • Configure the filter to send the mirrored packets to the output interface defined in the instance using the port-mirror firewall action. You can use this approach if there is only one port-mirroring instance defined.

Port-Mirroring Terminology

Table 1 lists the terms used in the documentation about port mirroring and provides definitions.

Port Mirroring and STP

The behavior of STP in a port-mirroring configuration depends on the version of Junos OS you are using:

• Junos OS 13.2X50, Junos OS 13.2X51-D25 or earlier, Junos OS 13.2X52: If you enable STP, port mirroring might not work because STP might block the mirrored packets.
• Junos OS 13.2X51-D30, Junos OS 14.1X53: STP is disabled for mirrored traffic. You must ensure that your topology prevents loops for this traffic.

Port Mirroring Constraints and Limitations

• Local and Remote Port Mirroring
• Remote Port Mirroring Only

Local and Remote Port Mirroring

• You can create a total of four port-mirroring configurations.
• You can create a total of four port-mirroring configurations on each Node group in a QFabric system, subject to the following constraints:
  • As many as four of the configurations can be for local port mirroring.
  • As many as three of the configurations can be for remote port mirroring.
• Regardless of whether you are configuring a standalone switch or a Node group, the following limits apply:
  • There can be no more than two configurations that mirror ingress traffic. (If you configure a firewall filter to send traffic to a port mirror—that is, you use the analyzer action modifier in a filter term—this counts as an ingress mirroring configuration for switch or Node group on which the filter is applied.)
  • There can be no more than two configurations that mirror egress traffic.

Note: On QFabric systems, there is no system-wide limit on the total number of mirror sessions.

• You can configure no more than one type of output in one port-mirroring configuration. That is, you can use no more than one of the following to complete a set analyzer name output statement:
  • interface
  • ip-address
  • vlan
• If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs on a standalone switch or QFabric system. If you do so, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets—not only the mirrored copies.
• The ratio and loss-priority options are not supported.
• Packets with physical layer errors are filtered out and are not sent to the output port or VLAN.
• If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit from the output interface.

• You cannot mirror packets exiting or entering the following ports:

  • Dedicated Virtual Chassis interfaces
  • Management interfaces (me0 or vme0)
  • Fibre Channel interfaces
  • Routed VLAN interfaces
• An aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to the analyzer by a firewall filter.
• Do not include an 802.1Q subinterface that has a unit number other than 0 in a port mirroring configuration. Port mirroring does not work with subinterfaces if their unit number is not 0. (You configure 802.1Q subinterfaces using the vlan-tagging statement.)
• When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.
• An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.
• CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.
• VLAN-based mirroring is not supported for STP traffic.
• (QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on different Node devices, the mirrored copies have incorrect VLAN IDs. This limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on the same Node device. In this case the mirrored copies have the correct VLAN IDs (as long as you do not configure more than 2000 VLANs on the QFabric system).

Remote Port Mirroring Only

• If you configure an output IP address, the address cannot be in the same subnetwork as any of the switch’s management interfaces.
• If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).
• An output VLAN cannot be a private VLAN or VLAN range.
• An output VLAN cannot be shared by multiple analyzer statements.
• An output VLAN interface cannot be a member of any other VLAN.
• An output VLAN interface cannot be an aggregated Ethernet interface.
• On the source (monitored) switch, only one interface can be a member of the analyzer VLAN.