ON THIS PAGE
Precedence of Multiple Levels of Layer 2 Port Mirroring on a Physical Interface
Binding Layer 2 Port Mirroring to Ports Grouped at the FPC Level
Binding Layer 2 Port Mirroring to Ports Grouped at the PIC Level
Examples: Layer 2 Port Mirroring at Multiple Levels of the Chassis
Example: Configuring Layer 2 Port Mirroring Over a GRE Interface
Configuring Port Mirroring on Physical Interfaces
Precedence of Multiple Levels of Layer 2 Port Mirroring on a Physical Interface
You can bind different sets of Layer 2 port mirroring properties (the global instance and one or more named instances) at various levels of an MX Series router or of an EX Series switch chassis (at the chassis level, at the FPC level, or at the PIC level). Therefore, it is possible for a single group of physical interfaces to be bound to multiple Layer 2 port mirroring definitions.
If a group of ports (or, in the case of a PIC-level binding in an MX960 router, a single port) is bound to multiple Layer 2 port mirroring definitions, the router (or switch) applies the Layer 2 port-mirroring properties to those ports as follows:
Chassis-level port-mirroring properties implicitly apply to all ports in the chassis. If an MX Series router or an EX Series switch is configured with the global port-mirroring instance, those port mirroring properties apply to all ports. See Configuring the Global Instance of Layer 2 Port Mirroring.
FPC-level port-mirroring properties override chassis-level properties. If a DPC or FPC is bound to a named instance of port mirroring, those port mirroring properties apply to all ports associated with that DPC or FPC, overriding any port mirroring properties bound at the chassis level. See Binding Layer 2 Port Mirroring to Ports Grouped at the FPC Level.
PIC-level port-mirroring properties override FPC-level properties. If a Packet Forwarding Engine or PIC is bound to a named instance of port-mirroring, those port mirroring properties apply to all ports associated with the Packet Forwarding Engine or PIC, overriding any port-mirroring properties bound to those ports at the FPC level. See Binding Layer 2 Port Mirroring to Ports Grouped at the PIC Level.
Binding Layer 2 Port Mirroring to Ports Grouped at the FPC Level
On an MX Series router and on an EX Series switch, you can bind a named instance of Layer 2 port mirroring to a specific DPC or to a specific FPC in the router (or switch) chassis. This is known as binding a named instance of Layer 2 port mirroring at the FPC level of the router (or switch) chassis. The port mirroring properties specified in the named instance are applied to all physical ports associated with all Packet Forwarding Engines on the specified DPC or FPC.
You can also bind a named instance of Layer 2 port mirroring to a specific Packet Forwarding Engine on a DPC or FPC in the router (or switch) chassis.
For any packet-type family supported by Layer 2 port mirroring
Port-mirroring properties bound to a specific DPC or FPC override any port-mirroring properties configured at the global level.
Port-mirroring properties bound to a specific Packet Forwarding Engine override any port-mirroring properties configured at the DPC or FPC level.
You can apply up to two named instances of Layer 2 port mirroring to the same group of ports within the router (or switch) chassis. By applying two different port-mirroring instances to the same DPC or FPC, you can bind two distinct Layer 2 port-mirroring specifications to a single group of ports.
Before you begin, complete the following tasks:
Define a named instance of Layer 2 port mirroring. See Defining a Named Instance of Layer 2 Port Mirroring.
Display information about the number and types of DPCs or FPCs in the MX Series router and in the EX Series switch, the number of Packet Forwarding Engines on each, and the number and types of ports per Packet Forwarding Engine.
To bind a named instance of Layer 2 port mirroring to a DPC or FPC and its Packet Forwarding Engines:
Binding Layer 2 Port Mirroring to Ports Grouped at the PIC Level
On an MX Series router and on an EX Series switch, you can bind a named instance of Layer 2 port mirroring to the ports associated with a specific Packet Forwarding Engine (on a DPC) or to the ports associated with a specific PIC (installed in an FPC). This is known as binding a named instance of Layer 2 port mirroring at the PIC level of the router (or switch) chassis. The port-mirroring properties specified in the named instance are applied to all physical ports associated with the specified Packet Forwarding Engine.
You can also bind a named instance of Layer 2 port mirroring to a specific DPC or FPC in the router (or switch) chassis.
For any packet-type family supported by Layer 2 port mirroring:
Port-mirroring properties bound to a specific Packet Forwarding Engine override any port-mirroring properties configured at the DPC or FPC level.
Port-mirroring properties bound to a specific DPC or FPC override any port-mirroring properties configured at the global level.
You can apply up to two named instances of Layer 2 port-mirroring to the same group of ports within the router (or switch) chassis. By applying two different port-mirroring instances to the same Packet Forwarding Engine or PIC, you can bind two distinct Layer 2 port mirroring specifications to a single group of ports.
For MX960 routers, there is a one-to-one mapping of Packet Forwarding Engines to Ethernet ports. Therefore, on MX960 routers only, you can bind a named instance of Layer 2 port mirroring to a specific port by binding the instance to the Packet Forwarding Engine associated with the port.
Before you begin, complete the following tasks:
Define a named instance of Layer 2 port mirroring. See Defining a Named Instance of Layer 2 Port Mirroring.
Display information about the number and types of DPCs in the MX Series router or in the EX Series switch, the number of Packet Forwarding Engines on each DPC, and the number and types of ports per Packet Forwarding Engine.
To bind a named instance of Layer 2 port mirroring to a Packet Forwarding Engine:
Examples: Layer 2 Port Mirroring at Multiple Levels of the Chassis
On an MX Series router or on an EX Series switch, you can apply named instances of Layer 2 port mirroring at the FPC or DPC level of the chassis or at the PIC level of the chassis. However, you can configure (and implicitly apply) only one global instance of Layer 2 port mirroring to the entire chassis.
- Layer 2 Port Mirroring at the FPC Level
- Layer 2 Port Mirroring at the PIC Level
- Layer 2 Port Mirroring at the FPC and PIC Levels
Layer 2 Port Mirroring at the FPC Level
In this example configuration of an MX Series router or of an EX Series switch chassis, a named instance of Layer 2 port mirroring (pm1) is bound to physical ports grouped at the FPC level:
[edit]
chassis {
fpc 2 {
port-mirror-instance pm1;
}
}
This is not a complete configuration. The physical interfaces
associated with the FPC or DPC in slot 2 must be configured at
the [edit interfaces] hierarchy level. The Layer 2
port mirroring named instance pm1 must be configured at the [edit forwarding-options port-mirroring instance] hierarchy
level.
Layer 2 Port Mirroring at the PIC Level
In this example configuration of an MX Series router or of an EX Series switch chassis, a named instance of Layer 2 port mirroring (pm2) is bound to the physical ports grouped at the PIC level:
[edit]
chassis {
fpc 2 {
pic 0 {
port-mirror-instance pm2;
}
}
}
This is not a complete configuration. The physical interfaces
associated with the FPC or DPC in slot 2 must be configured at
the [edit interfaces] hierarchy level. The Layer 2
port mirroring named instance pm2 must be configured at the [edit forwarding-options port-mirroring instance] hierarchy
level.
Layer 2 Port Mirroring at the FPC and PIC Levels
In this example configuration of an MX Series router chassis or an EX Series switch, one named instance of Layer 2 port mirroring (pm1) is applied at the FPC level of the router (or switch) chassis. A second named instance (pm2) is applied at the PIC level:
[edit]
chassis {
fpc 2 {
port-mirror-instance pm1;
pic 0 {
port-mirror-instance pm2;
}
}
}
This is not a complete configuration. Physical interfaces associated
with the FPC or DPC in slot 2, including physical interfaces
associated with pic 0, must be configured at the [edit interfaces] hierarchy level. The Layer 2 port mirroring
named instances pm1 and pm2 must be configured at
the [edit forwarding-options port-mirroring instance] hierarchy
level.
Configuring Layer 2 Port Mirroring Over GRE Interface
Port mirroring is the ability of a router to send a copy of a packet to an external host address or a packet analyzer for analysis. One application for port mirroring sends a duplicate packet to a virtual tunnel. A next-hop group can then be configured to forward copies of this duplicate packet to several interfaces. Junos OS supports Layer 2 port mirroring to a remote collector over a GRE interface.
To configure layer 2 port-mirroring over a GRE interface, do the following:
See Also
Example: Configuring Layer 2 Port Mirroring Over a GRE Interface
This example shows how to configure Layer 2 port mirroring over a GRE interface for analysis.
Requirements
This example uses the following hardware and software components:
One MX Series router
Junos OS Release 16.1 or later running on all devices
Overview
Port mirroring is the ability of a router to send a copy of a packet to an external host address or a packet analyzer for analysis. One application for port mirroring sends a duplicate packet to a virtual tunnel. A next-hop group can then be configured to forward copies of this duplicate packet to several interfaces. Starting with Junos OS Release 16.1, Layer 2 port mirroring to a remote collector over a GRE interface is supported.
Topology
Figure 1 shows port mirroring configured over a GRE interface. The interface gr-4/0/0 is configured as family bridge. Firewall family bridge filter f1 is configured as port-mirror. Mirror destination is configured as gr-4/0/0. Firewall family bridge filter f1 is applied at the ingress and egress of the xe-3/2/5.0 interface, which mirrors packets to mirror destination gr-4/0/0.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
R0
set chassis fpc4 pic0 tunnel-services bandwidth 10g set chassis network-services enhanced-ip set interfaces xe-3/2/5 flexible-vlan-tagging set interfaces xe-3/2/5 encapsulation flexible-ethernet-services set interfaces xe-3/2/5 unit 0 encapsulation vlan-bridge set interfaces xe-3/2/5 unit 0 vlan-id 100 set interfaces xe-3/2/5 unit 0 family bridge filter input f1 set interfaces xe-3/2/5 unit 0 family bridge filter output f1 set interfaces xe-3/2/9 flexible-vlan-tagging set interfaces xe-3/2/9 encapsulation flexible-ethernet-services set interfaces xe-3/2/9 unit 0 encapsulation vlan-bridge set interfaces xe-3/2/9 unit 0 vlan-id 100 set interfaces gr-4/0/0 unit 0 tunnel source 10.1.1.1 set interfaces gr-4/0/0 unit 0 tunnel destination 10.1.1.2 set interfaces gr-4/0/0 unit 0 family bridge interface-mode trunk set interfaces gr-4/0/0 unit 0 family bridge vlan-id 100 set forwarding-options port-mirroring input rate 1 set forwarding-options family vpls output interface gr-4/0/0.0 set firewall family bridge filter f1 term t then count c set firewall family bridge filter f1 term t then port-mirror set bridge-domains b vlan-id 100 set bridge-domains b interface xe-3/2/5.0 set bridge-domains b interface xe-3/2/9.0
Configuring R0
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see “Using the CLI Editor in Configuration Mode” in the Junos OS CLI User Guide .
To configure Device R0:
Configure the flexible PIC concentrator parameters of the chassis.
[edit chassis] user@R0# set fpc4 pic0 tunnel-services bandwidth 10g user@R0# set network-services enhanced-ip
Configure the enhanced-ip network services of the chassis.
[edit chassis] user@R0# set network-services enhanced-ip
Configure the interfaces.
[edit interfaces] user@R0# set xe-3/2/5 flexible-vlan-tagging user@R0# set xe-3/2/5 encapsulation flexible-ethernet-services user@R0# set xe-3/2/5 unit 0 encapsulation vlan-bridge user@R0# set xe-3/2/5 unit 0 vlan-id 100 user@R0# set xe-3/2/5 unit 0 family bridge filter input f1 user@R0# set xe-3/2/5 unit 0 family bridge filter output f1 user@R0# set xe-3/2/9 flexible-vlan-tagging user@R0# set xe-3/2/9 encapsulation flexible-ethernet-services user@R0# set xe-3/2/9 unit 0 encapsulation vlan-bridge user@R0# set xe-3/2/9 unit 0 vlan-id 100 user@R0# set gr-4/0/0 unit 0 tunnel source 10.1.1.1 user@R0# set gr-4/0/0 unit 0 tunnel destination 10.1.1.2 user@R0# set gr-4/0/0 unit 0 family bridge interface-mode trunk user@R0# set gr-4/0/0 unit 0 family bridge vlan-id 100
Configure the rate of input packets to be sampled.
[edit forwarding-options] user@R0# set port-mirroring input rate 1
Configure the output interface for the VPLS address family of packets to mirror.
[edit forwarding-options] user@R0# set family vpls output interface gr-4/0/0.0
Configure the protocol family BRIDGE for the firewall filter.
[edit firewall] user@R0# set family bridge filter f1 term t then count c user@R0# set family bridge filter f1 term t then port-mirror
Configure the VLAN ID for the bridge domain.
[edit bridge-domains] user@R0# set b vlan-id 100 user@R0# set b interface xe-3/2/5.0 user@R0# set b interface xe-3/2/9.0
Configure the interface for the bridge domain.
[edit bridge-domains] user@R0# set b interface xe-3/2/5.0 user@R0# set b interface xe-3/2/9.0
Results
From configuration mode, confirm your configuration by entering the show bridge-domains, show chassis, show forwarding-options, show firewall, and show interfaces commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
user@R0# show chassis
fpc 4 {
pic 0 {
tunnel-services {
bandwidth 10g;
}
}
}
network-services enhanced-ip;
user@R0# show interfaces
}
xe-3/2/5 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
family bridge {
filter {
input f1;
output f1;
}
}
}
}
xe-3/2/9 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
gr-4/0/0 {
unit 0 {
tunnel {
source 10.1.1.1;
destination 10.1.1.2;
}
family bridge {
interface-mode trunk;
vlan-id 100;
}
}
}
user@R0# show forwarding-options
port-mirroring {
input {
rate 1;
}
family vpls {
output {
interface gr-4/0/0.0;
}
}
}
user@R0# show firewall
family bridge {
filter f1 {
term t {
then {
count c;
port-mirror;
}
}
}
}
user@R0# show bridge-domains
b {
vlan-id 100;
interface xe-3/2/5.0;
interface xe-3/2/9.0;
}
Verification
Confirm that the configuration is working properly.
Verifying Port Mirroring of Traffic
Purpose
Display port mirroring of traffic information.
Action
On Device R0, from operational mode, run the show
forwarding-options port-mirroring command to display the port
mirroring of traffic information.
user@R0> show forwarding-options port-mirroring
Instance Name: & globalinstance
Instance Id: 1
Input parameters:
Rate : 1
Run-length : 0
Maximum-packet-length : 0
Output parameters:
Family State Destination Next-hop
vpls up gr-4/0/0.0
Instance Name: pm_instance
Instance Id: 2
Input parameters:
Rate : 10
Run-length : 0
Maximum-packet-length : 0
Output parameters:
Family State Destination Next-hop
vpls up gr-4/0/0.0 Meaning
The output shows the port mirroring of traffic information.