Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Mirroring for Local Monitoring of Employee Resource Use on EX4300 Switches

Note: This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches. For ELS details, see Getting Started with Enhanced Layer 2 Software.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

• Packets entering or exiting a port
• Packets entering a VLAN

You can analyze the mirrored traffic by using a protocol analyzer application installed on a system connected to the local destination interface (or running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN).

This example describes how to configure local mirroring on an EX4300 switch. This example describes how to configure the switch to mirror traffic entering interfaces connected to employee computers to an analyzer output interface on the same switch.

Requirements

• One EX4300 switch
• Junos OS Release 13.2X50-D10. or later for EX Series switches

Before you configure mirroring, be sure you have an understanding of mirroring concepts. For information about mirroring, see Understanding Port Mirroring and Analyzers on EX4300 Switches.

Overview and Topology

This topic includes two examples that describe how to mirror traffic entering ports on the switch to a destination interface on the same switch (local mirroring). The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario, but includes a filter to mirror only the employee traffic going to the Web.

The interfaces ge-0/0/0 and ge-0/0/1 serve as connections for employee computers. The interface ge0/0/10 is reserved for analysis of mirrored traffic. Connect a PC running a protocol analyzer application to the analyzer output interface to analyze the mirrored traffic.

Note: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Both examples use the network topology shown in Figure 1.

Figure 1: Network Topology for Local Mirroring Example

Mirroring All Employee Traffic for Local Analysis

To configure mirroring for all employee traffic for local analysis, perform these tasks:

CLI Quick Configuration

To quickly configure local mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure each interface connected to employee computers as an input interface for the analyzer employee-monitor:
   [edit forwarding-options]
user@switch# set analyzer employee-monitor input ingress interface ge–0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0

2. Configure the output interface of the analyzer as part of a VLAN
   [edit forwarding-options]
user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members analyzer_vlan
   [edit vlans]
user@switch# set analyzer-vlan vlan-id 1000
3. Configure the output analyzer interface for the analyzer employee-monitor. This will be the destination interface for the mirrored packets:
   [edit forwarding-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

Results

Check the results of the configuration:

Mirroring Employee-to-Web Traffic for Local Analysis

To configure mirroring for employee to Web traffic, perform these tasks:

CLI Quick Configuration

To quickly configure local mirroring of traffic from the two ports connected to employee computers, filtering so that only traffic to the external Web is mirrored, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure the local analyzer interface:
   [edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching
2. Configure the employee-web-monitor output instance (the input to the instance comes from the action of the filter):
   [edit forwarding-options port-mirroring]
user@switch# set instance employee-web-monitor output interface ge-0/0/10.0

   
   
3. Configure a firewall filter called watch-employee to send mirrored copies of employee requests to the Web to the employee-web-monitor instance. Accept all traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28). Send mirrored copies of all packets destined for the Internet (destination port 80) to the employee-web-monitor instance.
   [edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from destination-port 80
user@switch# set filter watch-employee term employee-to-web then port-mirroring-instance employee-web-monitor
4. Apply the watch-employee filter to the appropriate ports:
   [edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee

Results

Check the results of the configuration:

Verification

To confirm that the configuration is correct, perform these tasks:

• Verifying That the Analyzer Has Been Correctly Created
• Verifying That The Port-Mirroring Instance Is Configured Properly

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces, and appropriate output interface.

Action

  Analyzer name                    	: employee-monitor
  Mirror rate                     	: 1
  Maximum packet length             : 0
  State                           	 : up
  Ingress monitored interfaces     : ge-0/0/0.0
  Ingress monitored interfaces     : ge-0/0/1.0
  Output interface                	 : ge-0/0/10.0

 

Meaning

This output shows that the analyzer employee-monitor has a ratio of 1 (mirroring every packet, the default setting), the maximum size of the original packet that was mirrored (0 indicates the entire packet), the state of the configuration (is up indicates that the analyzer is mirroring the traffic entering the ge-0/0/0, and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface). If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be programmed for mirroring.

Verifying That The Port-Mirroring Instance Is Configured Properly

Purpose

Verify that the port-mirroring instance employee-web-monitor has been configured properly on the switch with the appropriate input interfaces.

Action

Instance Name: employee-web-monitor
  Instance Id: 3
  Input parameters:
    Rate                  : 1
    Run-length            : 0
    Maximum-packet-length : 0
  Output parameters:
    Family              State     Destination          Next-hop
    ethernet-switching  up        ge-0/0/10.0

Meaning

This output shows that the employee-web-monitor instance has a ratio of 1 (mirroring every packet, the default), the maximum size of the original packet that was mirrored (0 indicates an entire packet), the state of the configuration is up and port mirroring is programmed, and that mirrored traffic from the firewall filter action is sent out on interface ge-0/0/10.0. If the state of the output interface is down or if the interface is not configured, the value for state will be down and port mirroring will not be programmed for mirroring.