Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX9200 Switches

EX9200 switches allow you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

• Packets entering or exiting a port
• Packets entering or exiting a VLAN on

You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you: Disable your configured mirroring analyzers when you are not using them. Specify individual interfaces as input to analyzers rather than specifying all interfaces as input. Limit the amount of mirrored traffic by: Using statistical sampling. Setting ratios to select statistical samples. Using firewall filters.

This example describes how to configure remote mirroring to multiple interfaces on an analyzer VLAN:

Requirements

• Three EX9200 switches
• Junos OS Release 13.2 or later for EX Series switches

Before you configure remote mirroring, be sure that:

• You have an understanding of mirroring concepts. For information about analyzers, see Understanding Analyzers on EX9200 Switches. For information about port mirroring, see Layer 2 Port Mirroring Overview.
• The interfaces that the analyzer will use as input interfaces have been configured on the switch.

Overview and Topology

This example describes how to mirror traffic entering ports on the switch to the remote analyzer VLAN so that you can perform analysis from a remote monitoring station. The remote-analyzer VLAN in this example contains multiple member interfaces. Therefore, the same traffic is mirrored to all member interfaces of the remote-analyzer VLAN so that mirrored packets can be sent to different remote monitoring stations. You can install applications, such as sniffers and intrusion detection systems, on remote monitoring stations to analyze these mirrored packets and to obtain useful statistical data. For instance, if there are two remote monitoring stations, you can install a sniffer on one remote monitoring station and an intrusion detection system on the other station. You can use a firewall filter analyzer configuration to forward a specific type of traffic to a remote monitoring station.

This example describes how to configure an analyzer to mirror traffic to multiple interfaces in the next-hop group so that traffic is sent to different monitoring stations for analysis.

Figure 1 shows the network topology for this example.

Figure 1: Remote Mirroring Example Network Topology Using Multiple VLAN Member Interfaces in the Next-Hop Group

• Interfaces ge-0/0/0 and ge-0/0/1 are Layer 2 interfaces (both interfaces on the source switch) that serve as connections for employee computers.
• Interfaces ge-0/0/10 and ge-0/0/11 are Layer 2 interfaces that are connected to different destination switches.
• Interface ge-0/0/12 is a Layer 2 interface that connects the Destination 1 switch to the remote monitoring station.
• Interface ge-0/0/13 is a Layer 2 interface that connects the Destination 2 switch to the remote monitoring station.
• VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic to Multiple VLAN Member Interfaces for Remote Analysis

To configure mirroring to multiple VLAN member interfaces for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks:

CLI Quick Configuration

To quickly configure mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

• In the source switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode access

  set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999

  set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode access

  set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 999

  set forwarding-options analyzer employee-monitor input ingress interface ge-0/0/0.0

  set forwarding-options analyzer employee-monitor input ingress interface ge-0/0/1.0

  set forwarding-options analyzer employee-monitor input egress interface ge-0/0/0.0

  set forwarding-options analyzer employee-monitor input egress interface ge-0/0/1.0

  set forwarding-options analyzer employee-monitor output next-hop-group remote-analyzer-nhg

  set forwarding-options next-hop-group remote-analyzer-nhg interface ge-0/0/10.0

  set forwarding-options next-hop-group remote-analyzer-nhg interface ge-0/0/11.0

  set forwarding-options next-hop-group remote-analyzer-nhg group-type layer-2
• In the Destination 1 switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode acess

  set interfaces ge-0/0/12 unit 0 family ethernet-switching interface-mode access

  set forwarding-options analyzer employee-monitor input ingress vlan remote-analyzer

  set forwarding-options analyzer employee-monitor loss-priority high output interface ge-0/0/12.0
• In the Destination 2 switch terminal window, copy and paste the following commands:
  [edit]

  set vlans remote-analyzer vlan-id 999

  set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode access

  set interfaces ge-0/0/13 unit 0 family ethernet-switching interface-mode access

  set forwarding-options analyzer employee-monitor input ingress vlan remote-analyzer

  set forwarding-options analyzer employee-monitor loss-priority high output interface ge-0/0/13.0

Step-by-Step Procedure

1. On the source switch:
   • Configure the VLAN ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the interfaces on the network port connected to destination switches for access mode and associate it with the remote-analyzer VLAN:
     [edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
user@switch# set ge-0/0/11 unit 0 family ethernet-switching interface-mode trunk
user@switch# set ge-0/0/11 unit 0 family ethernet-switching vlan members 999
   • Configure the employee-monitor analyzer:
     [edit forwarding-options]
user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
user@switch# set analyzer employee-monitor input egress interface ge-0/0/0.0
user@switch# set analyzer employee-monitor input egress interface ge-0/0/1.0
user@switch# set analyzer employee-monitor output next-hop-group remote-analyzer-nhg

     In this analyzer configuration, traffic that enters and exits interfaces ge-0/0/0.0 and ge-0/0/1.0 are sent to the output destination defined by the next-hop group named remote-analyzer-nhg.

   • Configure the remote-analyzer-nhb next-hop group:
     [edit forwarding-options]
user@switch# set next-hop-group remote-analyzer-nhg interface ge-0/0/10.0
user@switch# set next-hop-group remote-analyzer-nhg interface ge-0/0/11.0
user@switch# set next-hop-group remote-analyzer-nhg group-type layer-2
2. On the Destination 1 switch:
   • Configure the VLAN ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the ge-0/0/10 interface on the Destination 1 switch for access mode:
     [edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching interface-mode access
   • Configure the interface connected to the remote monitoring station for access mode:
     [edit interfaces]
user@switch# set ge-0/0/12 unit 0 family ethernet-switching interface-mode access
   • Configure the employee-monitor analyzer:
     [edit forwarding-options]
user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer
user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/12.0
3. On the Destination 2 switch:
   • Configure the VLAN ID for the remote-analyzer VLAN:
     [edit vlans]
user@switch# set remote-analyzer vlan-id 999
   • Configure the ge-0/0/11 interface on the Destination 2 switch for access mode:
     [edit interfaces]
user@switch# set ge-0/0/11 unit 0 family ethernet-switching interface-mode access
   • Configure the interface connected to the remote monitoring station for access mode:
     [edit interfaces]
user@switch# set ge-0/0/13 unit 0 family ethernet-switching interface-mode access
   • Configure the employee-monitor analyzer:
     [edit forwarding-options]
user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer
user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/13.0

Results

Check the results of the configuration on the source switch:

Check the results of the configuration on the Destination 1 switch:

Check the results of the configuration on the Destination 2 switch:

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying That the Analyzer Has Been Correctly Created

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

Action

  Analyzer name                    : employee-monitor
  Mirror rate                      	: 1
  Maximum packet length            : 0
  State                            	: up
  Ingress monitored interfaces     : ge-0/0/0.0
  Ingress monitored interfaces     : ge-0/0/1.0
  Egress monitored interfaces     : ge-0/0/0.0
  Egress monitored interfaces     : ge-0/0/1.0
  Output nhg                       : remote-analyzer-nhg

Next-hop-group: remote-analyzer-nhg
  Type:  layer-2
  State: up
  Members Interfaces:
    ge-0/0/10.0
    ge-0/0/11.0

Meaning

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, which is the default behavior), the state of the configuration is up, which indicates proper state and that the analyzer is programmed, mirrors traffic entering or exiting interfaces ge-0/0/0 and ge-0/0/1, and sends mirrored traffic to multiple interfaces ge-0/0/10.0 and ge-0/0/11.0 through the next-hop-group remote-analyzer-nhg. If the state of the output interface is down or if the output interface is not configured, the value of state will be down and the analyzer will not be able to mirror traffic.