Configuring Port Mirroring
Port mirroring is the ability of a router to send a copy of an IPv4 or IPv6 packet to an external host address or a packet analyzer for analysis. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the packet header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.
See Feature Explorer for the latest list of supported platforms and Junos releases that support port mirroring.
One application for port mirroring sends a duplicate packet to a virtual tunnel. A next-hop group can then be configured to forward copies of this duplicate packet to several interfaces. For more information about next-hop groups, see Configuring Next-Hop Groups to Use Multiple Interfaces to Forward Packets Used in Port Mirroring.
All MX Series 5G Universal Routing Platforms support port mirroring for IPv4 or IPv6.
Port mirroring for VPLS traffic is supported on MX Series routers.
Port mirroring is supported for Layer 2 traffic on MX Series routers. For information about how to configure port mirroring for Layer 2 traffic, see the Network Management and Monitoring Guide.
In the MPCs on MX Series routers, GRE and MPLS header information is not contained in the port-mirrored traffic corresponding to MPLS packets transmitted through IP-GRE tunnels.
Port Mirroring Configuration Guidelines
When configuring port mirroring, the following restrictions apply:
-
Only transit data is supported.
-
The port mirror output interface MTU value should be big enough to accommodate the mirrored packets.
-
A standalone trunk port is not supported as a port mirror or analyzer output interface for MX Series routers and EX Series switches. If you want to use a trunk port as a mirror output port, you must use a bridge domain (MX) or a VLAN (EX) as port mirror output, then attach the trunk port to the respective bridge domain or VLAN as an output port.
-
You can configure port mirroring for IPv4 and IPv6 simultaneously on the MX Series routers.
-
Port mirroring in the ingress and egress direction is not supported for link services IQ (lsq-) interfaces.
-
Ingress filtering of multicast packets is supported on all Dense Port Concentrators (DPCs) in MX Series routers. Egress filtering of multicast packets is supported for interfaces on MPCs in MX Series routers. Filtering of multicast packets based on destination address is not supported for interfaces on I-chip ASIC-based DPCs in MX Series routers.
For Layer 3 port mirroring (
family inetandfamily inet6), if the traffic being mirrored is multicast (in other words, if the packet's destination IP address is a multicast address), the destination MAC address in the mirrored copy corresponds to this multicast destination IP address and not to the unicast MAC address specified in the[edit forwarding-options port-mirroring family (inet | inet6) output]configuration. -
By default, firewall filters cannot be applied to port-mirroring destination interfaces. To enable port-mirroring destination interfaces to support firewall filters, use the
no-filter-checkstatement to disable filter checking on the interfaces. You can include theno-filter-checkstatement at the following hierarchy levels:-
[edit forwarding-options port-mirroring family (inet | inet6 | ccc | vpls) output] -
[edit forwarding-options port-mirroring instance instance-name family (inet | ccc | vpls) output]
-
-
You must include a firewall filter with both the
acceptaction and theport-mirroraction modifier on the inbound interface. -
The interface you configure for port mirroring should not participate in any kind of routing activity.
-
The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of
192.68.9.10and the port-mirrored traffic is sent to192.68.20.15for analysis, the device associated with the latter address should not know a route to192.68.9.10. Also, it should not send the sampled packets back to the source address. -
MX Series routers support more than one port-mirroring interface per router.
-
You can configure multiple port-mirroring instances on the MX Series routers.
-
You can specify both host (cflowd) sampling and port mirroring in the same configuration. You can perform Routing Engine–sampling and port mirroring actions simultaneously. However, you cannot perform PIC-sampling and port mirroring actions simultaneously.
-
In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, not to another router. If you must send this traffic over a network, you should use tunnels.
Configuring Port Mirroring
To configure port mirroring, include the port-mirroring statement at
the [edit forwarding-options] hierarchy level:
[edit forwarding-options] port-mirroring { family (ccc | inet | inet6 | vpls) { output { interface interface-name { next-hop address; } no-filter-check; } input { maximum-packet-length bytes; rate number; run-length number; } } }
Configuring the Port-Mirroring Address Family and Interface
To configure port mirroring, include the port-mirroring
statement. To configure the address family type of traffic to sample, include
the family statement. To configure the rate of sampling, length
of sampling, and the maximum size for the mirrored packet, include the
input statement. To specify on which interface to send
duplicate packets and the next-hop address to send packets, include the
output statement. To determine whether there are any
filters on the specified interface, include the no-filter-check
statement.
For information about the rate and run-length
statements, see Configuring Traffic Sampling .
Configuring Multiple Port-Mirroring Instances
You can configure multiple port-mirroring instances on the MX Series routers. For information about configuring multiple port-mirroring instances on MX Series routers, see the Network Management and Monitoring Guide.
To configure a port-mirroring instance, include the instance
port-mirroring-instance statement at the
[edit forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring] instance port-mirroring-instance-name { family (ccc | inet | inet6 | vpls) { output { interface interface-name { next-hop address; } no-filter-check; } } input { maximum-packet-length bytes; rate number; run-length number; } }
Configuring MX Series Routers to Mirror Traffic Only Once
On MX Series
routers, you can
configure port mirroring so that the router mirrors traffic only once. If you
configure port mirroring on both ingress and egress interfaces, the same packet
could be mirrored twice. To mirror packets only once and prevent the router from
sending duplicate sampled packets to the same mirroring destination, include the
mirror-once statement at the [edit
forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring] mirror-once;
The mirror-once statement is supported only in the global
port-mirroring instance.