Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)

Note: This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Port Mirroring to Analyze Traffic (CLI Procedure). For ELS details, see Getting Started with Enhanced Layer 2 Software.

EX4300 switches enable you to configure mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use mirroring to copy these packets:

  • Packets entering or exiting a port
  • Packets entering a VLAN

Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured mirroring configurations when you are not using them.
  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.
  • Limit the amount of mirrored traffic by using firewall filters.

Note: If you want to create additional analyzers without deleting the existing analyzers, then disable the existing analyzers by using the disable analyzer analyzer-name statement from the command-line interface or the J-Web configuration page for mirroring.

Note: Interfaces used as output for an analyzer must be configured under the ethernet-switching family.

Configuring an Analyzer for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch (by using analyzers):

  1. Choose a name for the analyzer and specify the input:
    [edit forwarding-options]
    user@switch# set analyzer analyzer-name input ingress interface interface-name

    For example, create an analyzer called employee-monitor for which the input traffic is packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

    [edit forwarding-options]
    user@switch# set analyzer employee-monitor input ingress interface ge–0/0/0.0
    [edit forwarding-options]
    user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0
  2. Configure the destination interface for the mirrored packets:
    [edit forwarding-options]
    user@switch# set analyzer analyzer-name output interface interface-name

    For example, configure ge-0/0/10.0 as the destination interface for the employee-monitor analyzer:

    [edit forwarding-options]
    user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

Configuring an Analyzer for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location (by using analyzers):

  1. Configure a VLAN to carry the mirrored traffic:
    [edit]
    user@switch# set vlans analyzer-name vlan-id vlan-ID

    For example, define an analyzer VLAN called remote-analyzer and assign it a VLAN ID of 999:

    [edit]
    user@switch# set vlans remote-analyzer vlan-id 999
  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the analyzer VLAN:
    [edit]
    user@switch# set interfaces interface-name unit 0 family ethernet-switching interface-mode trunk vlan members vlan-ID

    For example, set the interface ge-0/1/1 to trunk mode and associate it with the analyzer VLAN ID 999:

    [edit]
    user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching interface-mode trunk vlan members 999
  3. Configure the analyzer:
    1. Define an analyzer and specify the traffic to be mirrored:
      [edit forwarding-options]
      user@switch# set analyzer analyzer-name input ingress interface interface-name

      For example, define the employee-monitor analyzer for which traffic to be mirrored is packets entering interfaces ge-0/0/0.0 and ge-0/0/1.0:

      [edit forwarding-options]
      user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
      [edit forwarding-options]
      user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
    2. Specify the analyzer VLAN as the output for the analyzer:
      [edit forwarding-options]
      user@switch# set analyzer analyzer-name output vlan vlan-ID

      For example, specify the remote-analyzer VLAN as the output analyzer for the employee-monitor analyzer:

      [edit forwarding-options]
      user@switch# set analyzer employee-monitor output vlan 999

Configuring Port Mirroring

To filter packets to be mirrored to a port-mirroring instance, create the instance and then use it as the action in the firewall filter. You can use firewall filters in both local and remote mirroring configurations.

If the same port-mirroring instance is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.

To filter mirrored traffic, create a port-mirroring instance under the [edit forwarding-options] hierarchy level, and then create a firewall filter. The filter can use any of the available match conditions and must have port-mirror-instance instance-name as an action. This action in the firewall filter configuration provides the input to the port-mirroring instance.

To configure a port-mirroring instance with firewall filters:

  1. Configure the port-mirroring instance name (here, employee-monitor) and the output:
    1. For local analysis, set the output to the local interface to which you will connect the computer running the protocol analyzer application:
      [edit forwarding-options]
      user@switch# set port-mirroring instance employee-monitor output interface ge-0/0/10.0
    2. For remote analysis, set the output to the remote-analyzer VLAN:
      [edit forwarding-options]
      user@switch# set port-mirroring instance employee-monitor output vlan 999
  2. Create a firewall filter by using any of the available match conditions and assign employee-monitor to the port-mirror-instance action:

    This step shows a firewall filter example-filter, with two terms (no-analyzer and to-analyzer):

    1. Create the first term to define the traffic that should not pass through to the port-mirroring instance employee-monitor:
      [edit firewall family ethernet-switching]
      user@switch# set filter (Firewall Filters) example-filter term no-analyzer from source-address ip-address
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term no-analyzer from destination-address ip-address
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term no-analyzer then accept
    2. Create the second term to define the traffic that should pass through to the port-mirroring instance employee-monitor:
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term to-analyzer from destination-port 80
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term to-analyzer then port-mirror-instance employee–monitor
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term to-analyzer then accept
  3. Apply the firewall filter to the interfaces or VLAN that provide input to the port-mirroring instance:
    [edit]
    user@switch# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input example-filter
    [edit]
    user@switch# set vlan (802.1Q Tagging) remote-analyzer filter input example-filter
 

Related Documentation

 

Published: 2014-04-24

Previous Page Next Page