You use port mirroring to copy packets and send the copies to a device running an application such as a network analyzer or intrusion detection application so that you can analyze traffic without delaying it. You can mirror traffic entering or exiting a port or entering a VLAN, and you can send the copies to a local access interface or to a VLAN through a trunk interface.

We recommend that you disable port mirroring when you are not using it. To avoid creating a performance issue If you do enable port mirroring, we recommend that you select specific input interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter.

Note: This task uses the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Port Mirroring. For ELS details, see Getting Started with Enhanced Layer 2 Software.

Note: If you want to create additional analyzers without deleting an existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command.

Note: You must configure port mirroring output interfaces as family ethernet-switching.

Configuring Port Mirroring for Local Analysis

1. If you want to mirror traffic that is ingressing or egressing specific interfaces, choose a name for the port-mirroring configuration and configure what traffic should be mirrored by specifying the interfaces and direction of traffic:
   [edit forwarding-options]
user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name


   Note: If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs. If you do so, some VLAN packets might contain incorrect VLAN IDs.

   Note: If you configure mirroring for packets that egress an access interface, the original packets lose any VLAN tags when they exit the access interface, but the mirrored (copied) packets retain the VLAN tags when they are sent to the analyzer system.

2. If you want to specify that all traffic entering a VLAN should be mirrored, choose a name for the port-mirroring configuration and specify the VLAN:
   [edit forwarding-options]
user@switch# set analyzer analyzer-name input ingress vlan vlan-name


   Note: You cannot configure port mirroring to copy traffic that egresses a VLAN.

3. Configure the destination interface for the mirrored packets:
   [edit forwarding-options]
user@switch# set analyzer analyzer-name output interface interface-name

Configuring Port Mirroring for Remote Analysis

1. Configure a VLAN to carry the mirrored traffic:
   [edit]
user@switch# set vlans vlan-name vlan-id number
2. Configure the interface that connects to another switch (the uplink interface) to trunk mode and associate it with the appropriate VLAN:
   [edit]
user@switch# set interfaces interface-name unit 0 family ethernet-switching port-mode trunk vlan members (vlan-name | vlan-id)

3. Configure the analyzer:
   1. Choose a name for the analyzer:
      [edit forwarding-options]
user@switch# set analyzer analyzer-name
   2. Specify the interface to be mirrored and whether the traffic should be mirrored on ingress or egress:
      [edit forwarding-options]
user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name
   3. Specify the appropriate IP address or VLAN as the output (a VLAN is specified in this example:
      [edit forwarding-options]
user@switch# set analyzer analyzer-name output vlan (vlan-name | vlan-id)

      If you specify an IP address as the output, note the following constraints:

      • The address cannot be in the same subnetwork as any of the switch’s management interfaces.
      • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).
      • The analyzer device must be able to de-encapsulate GRE-encapsulated packets, or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer device. (You can use a network sniffer to de-encapsulate the packets.)

Filtering the Traffic Entering an Analyzer

In addition to specifying which traffic to mirror by configuring an analyzer, you can also use a firewall filter to exercise more control over which packets are copied. For example, you might use a filter to specify that only traffic from certain applications be mirrored. The filter can use any of the available match conditions and must have an action of modifier of port-mirror-instance instance-name. If you use the same analyzer in multiple filters or terms, the output packets are copied only once.

When you use a firewall filter as the input to a port-mirroring instance, you send the copied traffic to a local interface or a VLAN just as you do when a firewall is not involved.

1. Configure a port-mirroring instance for local or remote analysis. Configure only the output. For example, for local analysis enter:
   [edit forwarding-options]
user@switch# set port-mirroring-instance instance-name output interface interface-name

   Note: You cannot configure input to this instance.

2. Create a firewall filter using any of the available match conditions. In a then term, specify include the action modifier port-mirror-instance instance-name.
3. Apply the firewall filter to the interfaces or VLAN that should provide the input to the analyzer:
   [edit]
user@switch# set interfaces interface-name unit 0 family ethernet-switching filter input filter-name


   [edit]
user@switch# set vlan (vlan-name | vlan-id) filter input filter-name