This article provides information on how to setup port mirroring on interfaces, which are configured in the passive-monitor-mode, with verification and validation commands.

The port mirroring feature implementation is mostly used for troubleshooting, traffic analysis, and other tasks.

Topology:

IXIA C1P1---(ge-1/1/1) MX960 (ge-1/1/2)------IXIA C2P2
                         | 
                     ge-1/1/0
            passive-monitor-mode interface
                         |
                         |
                     IXIA C6P5 

When you configure an interface in the passive monitoring mode, the Packet Forwarding Engine silently drops transit packets, which are coming from the interface or traffic destined to the router itself. Passive monitoring mode also stops the Routing Engine from transmitting any packet via the interface. Packets received from the monitored interface can be forwarded to monitoring interfaces. If you include the passive-monitor-mode statement in the configuration:

• The ATM interface is always up and it does not receive or transmit incoming control packets, such as Operation, Administration, and Maintenance (OAM), and Interim Local Management Interface (ILMI) cells.


• The SONET/SDH interface does not send keepalives or alarms and actively participate on the network.


• Gigabit and Fast Ethernet interfaces can support both per-port passive and per-VLAN passive monitoring. The destination MAC filter on the receive port of the Ethernet interfaces is disabled.


• Ethernet encapsulation options are not allowed.


• Passive flow monitoring is not supported on MSDPC Service PIC cards.

Send 1000 pps of traffic to 31.1.1.0/30 (ge-1/1/1.0) from the 5.5.5.2 source address and see if the packets are mirrored to ge-1/1/2.0 (this is on 20.1.1.0/30). This will match term 1 of the firewall filter.

From all other sources:

Send 200 pps of traffic to 31.1.1.0/30 (ge-1/1/1.0) from the 45.1.1.1 source and see if the packets are mirrored to ge-1/1/0 (this is on 30.1.1.0/30). This will match term 2 of the firewall filter.

Before starting, the ARP entries of 20.1.1.2 and 30.1.1.2 should be present; else port mirroring will not work.

Configuration:

chassis {
  fpc 1 {
    port-mirror-instance pm-traf-client-mpc;
    port-mirror-instance pm_traf_rezo-mpc;
  }
}

forwarding-options {
  port-mirroring {
    instance {
        pm-traf-client-mpc {
            input {
                rate 1;
                run-length 1; <<<< With rate 1, run-length has no significance. 
                You can also remove this command. This command is included in this example for reference.
            }
            family inet {
                output {
                    interface ge-1/1/1.0 {
                        next-hop 30.1.1.2;
                    }
                }
            }
        }
        pm_traf_rezo-mpc {
            input {
                rate 1;
                run-length 1;
            }
            family inet {
                output {
                    interface ge-1/1/2.0 {
                        next-hop 20.1.1.2;
                    }
                }
            }
        }
    }
  }
}


 [edit]
root# show firewall family inet filter PM-mpc 
term 1 {
    from {
        source-address {
            5.5.5.0/24;
        }
    }
    then {
        count count_mirror_from_fw-mpc;
        port-mirror-instance pm_traf_rezo-mpc;
    }
}
term 2 {
    then {
        count count_mirror_from_reseau-mpc;
        port-mirror-instance pm-traf-client-mpc;
    }
}

 [edit]
root# 

 [edit]
root# 

 [edit]
root# 

 [edit]
root# show interfaces ge-1/1/0 
passive-monitor-mode;
unit 0 {
    family inet {
        filter {
            input PM-mpc;
        }
        address 99.99.99.10/24;
    }
}

 [edit]
root# show interfaces ge-1/1/1    
unit 0 {
    family inet {
        address 30.1.1.1/30;
    }
}

 [edit]
root# show interfaces ge-1/1/2    
unit 0 {
    family inet {
        address 20.1.1.1/30;
    }
}

 [edit]

Verification and Validation commands:


root> show firewall filter PM-mpc

Filter: PM-mpc
Counters:
Name                              Bytes         Packets
count_mirror_from_fw-mpc          203282310     1848021
count_mirror_from_reseau-mpc      17001830      369605


root> show firewall filter PM-mpc

Filter: PM-mpc
Counters:
Name                               Bytes        Packets
count_mirror_from_fw-mpc           203938570    1853987 < The incrementing stats confirm that the firewall filters are correctly hit
count_mirror_from_reseau-mpc  17056708       370798

Check the incoming interface, on which the passive-monitor-mode is configured:


root> show interfaces ge-1/1/0 | match pps
Input rate : 953280 bps (1199 pps) < This confirms that the interface is receiving traffic from both sources
Output rate : 0 bps (0 pps)


root> show interfaces ge-1/1/1 | match pps
Input rate : 0 bps (0 pps)
Output rate : 73656 bps (200 pps) < This confirms that packets are mirrored out of ge-1/1/1 for source IP 45.1.1.1 (firewall term 2)


root> show interfaces ge-1/1/2 | match pps
Input rate : 0 bps (0 pps)
Output rate : 879808 bps (999 pps) < This confirms that packets are mirrored out of ge-1/1/2 for source IP 5.5.5.2 (firewall term 1)