Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Local and remote port mirror configuration example

0

0

Article ID: KB10878 KB Last Updated: 17 Jan 2020Version: 6.0
Summary:

With local port mirroring, traffic from multiple ports are replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. To understand the issue, consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface and also consider deactivating after usage.

This article provides an example of how this can be done.

 

Solution:

Port mirroring on an EX-series switch can be used to mirror any of the following:

  1. Packets entering or exiting a port in any combination.
  2. Packets entering a VLAN.
  3. Statistical sample of the packets entering or exiting a port or entering a VLAN.
  4. Policy-based sample of the packets entering a port or VLAN.

NOTE: Mirroring a high volume of traffic can be performance intensive for the switch. Therefore, you should disable port mirroring when you are not using it, and select specific interfaces as input to the port mirror analyzer in preference to using the all keyword. You can also limit the amount of mirrored traffic by using statistical sampling setting a ratio to select a statistical sample, or using a firewall filter.

NOTE: With the release of Enhanced Layer-2 Software (ELS) the stanza where port mirroring is configured has changed. For more information on the initial release of ELS for the various switch platforms, refer to the following link:

Getting Started with Enhanced Layer 2 Software

NOTE: The output interface should be of family ethernet switching for the port analyzer to work properly.

Configuring Port Mirroring for Local Traffic Analysis (Non-ELS)

To mirror interface traffic on the switch to an interface on the switch, refer to the steps below.  Note that the configuration starts from the "ethernet-switching-options" stanza).

Given the following port configuration:

user@switch# show interfaces ge-0/0/0
    unit 0 {
        family ethernet-switching;
    }

user@switch# show interfaces ge-0/0/1
    unit 0 {
        family ethernet-switching;
    }

user@switch# show interfaces ge-0/0/10
    unit 0 {
        family ethernet-switching;
    }
  1. Choose a name for the port mirroring configuration (in this case, employee-monitor), and specify the input(in this case, packets entering ge-0/0/0 and ge-0/0/1):

    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
    user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
  2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:

    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor ratio 200

    When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch.  

  3. Configure the destination interface for the mirrored packets:

[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

Configuring Port Mirroring for Local Traffic Analysis (ELS)

To mirror interface traffic on the switch to an interface on the switch, refer to the steps below. Note that the configuration starts from the "forwarding-options" stanza).

Given the following port configuration:

user@switch# show interfaces ge-0/0/0
    unit 0 {
        family ethernet-switching;
    }

user@switch# show interfaces ge-0/0/1
    unit 0 {
        family ethernet-switching;
    }

user@switch# show interfaces ge-0/0/10
    unit 0 {
        family ethernet-switching;
    }
  1. Choose a name for the port mirroring configuration (in this case, employee-monitor), and specify the input(in this case, packets entering ge-0/0/0 and ge-0/0/1):

    [edit forwarding-options]
    user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
    user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
  2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:

    [edit forwarding-options]
    user@switch# set analyzer employee-monitor ratio 200

    When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch.

  3. Configure the destination interface for the mirrored packets:

[edit forwarding-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

Configuring Port Mirroring for Remote Traffic Analysis (Non-ELS)

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

  1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:

    [edit]
    user@switch# set vlans remote-analyzer vlan-id 999
  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:

    [edit]
    user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
  3. Configure the analyzer.  Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:       

[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor loss-priority high           

Specify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:       

[edit ethernet-switching-options]
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0           

Specify the remote-analyzer VLAN as the output for the analyzer:       

[edit ethernet-switching-options]
user@switch#set analyzer employee-monitor output vlan 999
  1. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

Configuring Port Mirroring for Remote Traffic Analysis (ELS)

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

  1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:

    [edit]
    user@switch# set vlans remote-analyzer vlan-id 999
  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:

    [edit]
    user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
  3. Configure the analyzer.  Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:       
[edit forwarding-options]
user@switch# set analyzer employee-monitor loss-priority high           

Specify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:       

[edit forwarding-options]
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0           

Specify the remote-analyzer VLAN as the output for the analyzer:       

[edit forwarding-options]
user@switch#set analyzer employee-monitor output vlan 999
  1. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit forwarding-options]
user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

Configuration Results for Local and Remote:

(Non-ELS)

[edit]
user@switch# show
ethernet-switching-options {

    analyzer employee-monitor {
        input {
            ingress {
                interface ge-0/0/0.0;
                interface ge-0/0/1.0;
            }
        }
        output {
            interface {
                ge-0/0/10.0;
            }
        }
    }
}

[edit]
user@switch# show
analyzer employee-monitor {
    loss-priority high;
    input {
        ingress {
            interface ge-0/0/0.0;
            interface ge-0/0/1.0;
        }
    }
    output {
        vlan {
            remote-analyzer;
        }
    }
}

(ELS)

[edit]
user@switch# show
forwarding-options {
    analyzer employee-monitor {
        input {
            ingress {
                interface ge-0/0/0.0;
                interface ge-0/0/1.0;
            }
        }
        output {
            interface {
                ge-0/0/10.0;
            }
        }
    }
}

[edit]
user@switch# show
analyzer employee-monitor {
    loss-priority high;
    input {
        ingress {
            interface ge-0/0/0.0;
            interface ge-0/0/1.0;
        }
    }
    output {
        vlan {
            remote-analyzer;
        }
    }
}

 

Modification History:

2020-01-17: Added a note that the output interface should be of family ethernet switching for the port analyzer to work properly.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search