Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Examples: Configuring Port Mirroring for Local Analysis

Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies to a local interface for local monitoring.

Note: This example uses the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring Port Mirroring for Local Analysis. For ELS details, see Getting Started with Enhanced Layer 2 Software.

This example describes how to configure port mirroring to copy traffic sent by employee computers to a switch to an access interface on the same switch.

Requirements

• Junos OS Release 13.2
• A switch

Overview and Topology

This topic includes two related examples that describe how to mirror traffic entering interfaces on the switch to an access interface on the same switch. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.

In this example, xe-0/0/0 and xe-0/0/6 serve as connections for employee computers. Interface xe-0/0/47 is connected to a device running an analyzer application.

Note: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Figure 1 shows the network topology for this example.

Figure 1: Network Topology for Local Port Mirroring Example

Example: Mirroring All Employee Traffic for Local Analysis

To configure port mirroring for all traffic sent by employee computers for local analysis, perform the tasks explained in this section.

CLI Quick Configuration

To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

1. Configure the interfaces connected to employee computers as input interfaces for the port-mirror analyzer employee-monitor:
   [edit forwarding-options]
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/6.0

2. Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets:
   [edit forwarding-options]
user@switch# set analyzer employee-monitor output interface xe-0/0/47.0

Results

Check the results of the configuration:

Example: Mirroring Employee Web Traffic with a Firewall Filter

• Requirements
• Overview
• Configuring
• Verification

Requirements

• One switch
• Junos 13.2X51

Overview

Rather than mirror all traffic, it is usually desirable to mirror only certain traffic. This is a more-efficient use of your bandwidth and hardware and might be necessary because constraints on these assets. To select specific traffic for mirroring, you use a firewall filter to match the desired traffic and direct it to a port-mirroring instance. The port-mirroring instance then copies the packets and sends them to the output VLAN, interface, or IP address.

Configuring

To specify that the only traffic that will be mirrored is traffic sent by employees to the Web, perform the tasks explained in this section. To select this traffic for mirroring, you use a firewall filter to specify this traffic and direct it to a port-mirroring instance.

CLI Quick Configuration

To quickly configure local port mirroring of traffic from employee computers that is destined for the Web, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

1. Configure the output interface:
   [edit interfaces]
user@switch# set xe-0/0/47 unit 0 family ethernet-switching
2. Configure the employee-web-monitor output interface. (Configure only the output—the input comes from the filter.)
   [edit forwarding-options]
user@switch# set port-mirroring instance employee–web–monitor output interface xe-0/0/47.0

   
   
3. Configure a firewall filter called watch-employee that includes a term to match traffic sent to the Web and send it to the port-mirroring instance employee-web-monitor. Traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28) does not need to be copied, so create another term to accept that traffic before it reaches the term that sends Web traffic to the instance:
   [edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from destination-port 80
user@switch# set filter watch-employee term employee-to-web then port-mirror-instance employee-web-monitor
4. Apply the firewall filter to the appropriate interfaces as an ingress filter (egress filters do not allow analyzers):
   [edit interfaces]
user@switch# set xe-0/0/0 unit 0 family ethernet-switching filter input watch-employee
user@switch# set xe-0/0/6 unit 0 family ethernet-switching filter input watch-employee

Results

Check the results of the configuration:

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

  Port mirror name                : employee-monitor
Mirror rate                     	: 1
  Maximum packet length             : 0
  State                           	 : up
  Ingress monitored interfaces : xe-0/0/0.0
  Ingress monitored interfaces : xe-0/0/6.0
   Output interface                	 : xe-0/0/47.0
 

Meaning

This output shows that the port-mirroring instance employee-monitor has a ratio of 1 (mirroring every packet, the default setting), the maximum size of the original packet that was mirrored (0 indicates the entire packet), the state of the configuration (is up indicates that the instance is mirroring the traffic entering the xe-0/0/0, and xe-0/0/6 interfaces, and sending the mirrored traffic to the xe-0/0/47 interface). If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the instance will not be programmed for mirroring.