This article provides information on how to configure layer 2 port mirroring on MX Series routers.
Topology
R1(ge-0/1/0)--------------------(ge-1/0/1) MX80 (ge-1/0/0)--------------------(ge-0/3/0)R2
(g e-1/0/3)
|
|
|
PC
The goal, as per the above setup, is to capture all transit layer 2 packets, which are flowing from R1 to R2; MX-80 is acting as a layer - 2 bridge.
Configuring bridging on MX interfaces and configuring layer 3 interfaces on R1 and R2
In this setup, VLAN 100 is used for the transit between R1 and R2.
On MX-80:
Configure the bridge domains for the port-mirroring interfaces and one for the interfaces, to which the packet analyzer is connected:
bridge-domains {
analyzer {
domain-type bridge;
interface ge-1/0/3.0;
}
mirrorports {
domain-type bridge;
vlan-id 100;
interface ge-1/0/0.0;
interface ge-1/0/1.0;
}
}
ge-1/0/0 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 0 {
vlan-id 100;
family bridge;
}
}
ge-1/0/1 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 0 {
vlan-id 100;
family bridge {
}
ge-1/0/3 {
encapsulation ethernet-bridge;
unit 0 {
family bridge;
On R1:
ge-0/1/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.1/30;
}
On R2:
ge-0/3/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.2/30;
}
After the above configuration is implemented, R1 will be able to ping R2 as shown below:
lab@R1-re0# run ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=1.296 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=1.227 ms
Configuring the firewall filter for port-mirroring:
This firewall filter determines which packets need to be sampled and sent out of the analyzer interface. The filter may be applied as the input or output of a logical interface for traffic in the setup.
firewall
family bridge {
filter test {
interface-specific;
term all {
then {
count cnt1;
accept;
port-mirror;
}
}
}
}
Apply the firewall filter to the ge-1/0/1 interface:
set interfaces ge-1/0/1 unit 0 family bridge filter input test
Configuring port-mirroring forwarding-options:
forwarding-options {
port-mirroring {
input {
rate 1;
run-length 1;
}
family vpls{
output {
interface ge-1/0/3.0;
no-filter-check;
}
}
}
}
Verifying the Configuration
Connect a packet analyzer to the ge-1/0/3 port to capture the transit packets from R1 to R2. Also, you may use the following packets to perform some basic testing on the router. Check if the packets are hitting the firewall properly:
lab@Mx-80-3>show firewall
Filter: __default_bpdu_filter__
Filter: test-ge-1/0/1.0-i
Counters:
Name Bytes Packets
cnt1-ge-1/0/1.0-i 478114 5695
Check the bridge domain configuration:
lab@Mx-80-3> show bridge domain Routing instance Bridge domain VLAN ID Interfaces default-switch analyzer
NA ge-1/0/3.0 default-switch mirrorports 100 ge-1/0/0.0 ge-1/0/1.0 Check port-mirroring settings
lab@Mx-80-3> show forwarding-options port-mirroring
Instance Name: &global_instance
Instance Id: 1
Input parameters:
Rate : 1
Run-length : 1
Maximum-packet-length : 0
Output parameters:
Family State Destination Next-hop
vpls up ge-1/0/3.0
Note: Family Bridge and VPLS are the same.
To check if the captured packets are flowing out of the analyzer interface, you can use the the following command and monitor the output packets:
lab@Mx-80-3> monitor interface ge-1/0/3.0 Mx-80-3
Seconds: 8 Time: 12:02:03 Delay: 1/1/15 Interface: ge-1/0/3.0, Enabled, Link is Up Flags: SNMP-Traps 0x20004000
Encapsulation: Extended-VLAN-Bridge VLAN-Tag [ 0x8100.100 ] Local statistics:
Current delta Input bytes:
0 [0] Output bytes: 0
[0] Input packets: 0
[0] Output packets: 0
[0] Remote statistics: Input bytes: 0 (0 bps)
[0] Output bytes:
512450 (1640 bps)
[2040] Input packets: 0 (0 pps)
[0] Output packets: 5027 (2 pps)
[20] Traffic statistics: Input bytes: [0]
2020-11-18: Article modified to include family vpls in configuration in Solution section instead of family inet; no other changes made