Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Port Mirroring for Local Analysis

Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies to a local interface for local monitoring.

Note: This example uses a release of Junos OS that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Examples: Configuring Port Mirroring for Local Analysis. For ELS details, see Getting Started with Enhanced Layer 2 Software.

This example describes how to configure port mirroring to copy traffic sent by employee computers to a switch to an access interface on the same switch.

Requirements

• Junos OS Release 11.1
• A switch

Overview and Topology

This topic includes two related examples that describe how to mirror traffic entering interfaces on the switch to an access interface on the same switch. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.

In this example, xe-0/0/0 and xe-0/0/6 serve as connections for employee computers. Interface xe-0/0/47 is connected to a device running an analyzer application.

Note: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Figure 1 shows the network topology for this example.

Figure 1: Network Topology for Local Port Mirroring Example

Mirroring All Employee Traffic for Local Analysis

To configure port mirroring for all traffic sent by employee computers for local analysis, perform the tasks explained in this section.

CLI Quick Configuration

To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

1. Configure the interfaces connected to employee computers as input interfaces for the port-mirror analyzer employee-monitor:
   [edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/6.0

2. Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets:
   [edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface xe-0/0/47.0

Results

Check the results of the configuration:

Mirroring Employee-to-Web Traffic for Local Analysis

To mirror only traffic sent by employees to the Web for local analysis, perform the tasks explained in this section.

CLI Quick Configuration

To quickly configure local port mirroring of traffic from employee computers that is destined for the Web, copy the following commands and paste them into a switch terminal window:

Step-by-Step Procedure

1. Configure the output interface:
   [edit interfaces]
user@switch# set xe-0/0/47 unit 0 family ethernet-switching
2. Configure the employee-web-monitor analyzer output. (Configure only the output—the input comes from the filter.)
   [edit ethernet-switching-options]
user@switch# set analyzer employee-web-monitor output interface xe-0/0/47.0

   
   
3. Configure a firewall filter called watch-employee that includes a term to match traffic sent to the Web and send it to the analyzer employee-web-monitor. Traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28) does not need to be copied, so create another term to accept that traffic before it reaches the term that sends Web traffic to the analyzer:
   [edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor
4. Apply the firewall filter to the appropriate interfaces as an ingress filter (egress filters do not allow analyzers):
   [edit interfaces]
user@switch# set xe-0/0/0 unit 0 family ethernet-switching filter input watch-employee
user@switch# set xe-0/0/6 unit 0 family ethernet-switching filter input watch-employee

Results

Check the results of the configuration:

Verification

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

  Analyzer name                : employee-monitor
  Output interface             : xe-0/0/47.0
  Mirror ratio                 : 1
  Loss priority                : Low
  Ingress monitored interfaces : xe-0/0/0.0
  Ingress monitored interfaces : xe-0/0/6.0
  Egress monitored interfaces  : None
 

Meaning

This output shows that the employee-monitor analyzer:

• Has a ratio of 1 (mirroring every packet, the default setting)
• Has a loss priority of low (set this option to high only when the analyzer output is to a VLAN)
• Is mirroring the traffic entering the xe-0/0/0 and xe-0/0/6 interfaces
• Is sending the mirrored traffic to the xe-0/0/47 interface