{
	"id": "196162f8-17ab-437a-9f0b-73d6d7711697",
	"created_at": "2026-04-06T00:08:55.807604Z",
	"updated_at": "2026-04-10T03:19:58.4075Z",
	"deleted_at": null,
	"sha1_hash": "42993772fa2798f1dde0380574646dd209f9a0d2",
	"title": "Port Mirroring and Analyzers | Junos OS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256433,
	"plain_text": "Port Mirroring and Analyzers | Junos OS\r\nArchived: 2026-04-05 19:26:57 UTC\r\nThis section describes how port mirroring sends network traffic to analyzer applications.\r\nUnderstanding Port Mirroring and Analyzers\r\nPort mirroring and analyzers send network traffic to devices running analyzer applications. A port mirror copies\r\nLayer 3 IP traffic to an interface. An analyzer copies bridged (Layer 2) packets to an interface. Mirrored traffic can\r\nbe sourced from single or multiple interfaces. You can use a device attached to a mirror output interface running\r\nan analyzer application to perform tasks such as monitoring compliance, enforcing policies, detecting intrusions,\r\nmonitoring network performance, correlating events, and other problems on the network.\r\nOn routers containing an Internet Processor II application-specific integrated circuit (ASIC) or T Series Internet\r\nProcessor, port mirroring copies Unicast packets entering or exiting a port or entering a VLAN and sends those\r\ncopies to a local interface for local monitoring or to a VLAN for remote monitoring. The mirrored traffic is\r\nreceived by applications that help you analyze that traffic.\r\nPort mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is\r\nsent to the Routing Engine, where a key is placed in a file or cflowd. Packets based on that key are sent to a\r\ncflowd server. In port mirroring, the entire packet is copied and sent out through the specified interface where it\r\ncan be captured and analyzed in detail.\r\nUse port mirroring to send traffic to devices that analyze traffic for purposes such as monitoring compliance,\r\nenforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on.\r\nPort mirroring is needed when you want to perform traffic analysis because a switch normally sends packets only\r\nto the port to which the destination device is connected. You probably do not want to send the original packets for\r\nanalysis before they are forwarded because of the delay that this would cause, so the common alternative is to\r\nconfigure port mirroring to send copies of unicast traffic to another interface and run an analyzer application on a\r\ndevice connected to that interface. .\r\nTo configure port mirroring, configure a port-mirroring instance. but don't specify an input for it. Instead, create a\r\nfirewall filter that specifies the required traffic, and directs it to the instance. Use the port-mirror action in a\r\nthen term of the filter for this. The firewall filter must be configured as family inet .\r\nKeep performance in mind when configuring port mirroring. Configuring the firewall filter to mirror only the\r\nnecessary packets reduces the possibility of a performance impact.\r\nYou can configure an analyzer statement to define both the input traffic and output traffic in the same analyzer\r\nconfiguration. The traffic to be analyzed can be traffic that enters or exits an interface, or traffic that enters a\r\nVLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, or VLAN. You\r\ncan configure an analyzer at the [edit forwarding-options analyzer] hierarchy.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 1 of 32\n\nNote:\r\nOn EX Series switches, when you disable any interface in a remote port mirroring VLAN, you will need to re-enable the disabled interface and reconfigure the analyzer session to resume port mirroring.\r\nYou can use port mirroring to copy:\r\nAll of the packets entering or exiting an interface in any combination. Copies of packets entering some\r\ninterfaces and packets exiting other interfaces can be sent to the same local interface or VLAN. If you\r\nconfigure port mirroring to copy packets exiting an interface, traffic that originates on that switch or Node\r\ndevice (in a QFabric system) is not copied when it egresses. Only switched traffic is copied on egress. (See\r\nthe limitation on egress mirroring below.)\r\nAny or all packets entering a VLAN. You cannot use port mirroring to copy packets exiting a VLAN.\r\nA firewall-filtered sample of packets entering a port or VLAN.\r\nFirewall filters are not supported on egress ports; that is, you cannot specify policy-based sampling of\r\npackets exiting an interface\r\nIn VXLAN environments, firewall-filter based port-mirroring is not supported on core- or spine-facing\r\ninterfaces.\r\nYou can configure both traffic sampling and port mirroring, setting an independent sampling rate and run-length\r\nfor port-mirrored packets. However, if a packet is selected for both traffic sampling and port mirroring, only port\r\nmirroring is executed, as it takes precedence. In other words, if you configure an interface to traffic sample every\r\npacket input to the interface and port mirroring also selects that packet to be copied and sent to the destination\r\nport, only the port mirroring process is executed. Traffic sampled packets that are not selected for port mirroring\r\ncontinue to be sampled and forwarded to the cflowd server.\r\nPort Mirroring and Analyzer Terms and Definitions\r\nInstance Types\r\nPort Mirroring and STP\r\nConstraints and Limitations\r\nPort Mirroring on QFX5230-64CD and QFX5240 Switches\r\nPort Mirroring on QFX10000 Series Switches\r\nPort Mirroring on QFabric\r\nPort Mirroring on OCX Series Switches\r\nPort Mirroring and Analyzer Terms and Definitions\r\nThe following tables provide terms and definitions for the port mirroring and analyzer documentation.\r\nTable 1: Terminology\r\nTerm Definition\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 2 of 32\n\nAnalyzer\r\nFor EX2300, EX3400, or EX4300 switches, in a mirroring configuration (analyzer) on\r\nan the analyzer includes:\r\nThe name of the analyzer\r\nSource (input) ports or VLAN (optional)\r\nAnalyzer instance\r\nPort-mirroring configuration that includes a name, source interfaces or source VLAN,\r\nand a destination for mirrored packets (either a local interface or a VLAN).\r\nAnalyzer output\r\ninterface (also\r\nknown as monitor\r\nport)\r\nInterface to which mirrored traffic is sent and to which a protocol analyzer application\r\nis connected.\r\nFor EX2300, EX3400, and EX4300 Switches, Interfaces used as output for an analyzer\r\nmust be configured as family ethernet-switching. In addition, the following limitations\r\nfor analyzer output interfaces apply:\r\nCannot also be a source port.\r\nCannot be used for switching.\r\nDo not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP),\r\nwhen part of a port mirroring configuration.\r\nIf the bandwidth of the analyzer output interface is not sufficient to handle the\r\ntraffic from the source ports, overflow packets are dropped.\r\nAnalyzer VLAN\r\n(also known as\r\nmonitor VLAN)\r\nVLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol\r\nanalyzer application. The member interfaces in the monitor VLAN are spread across\r\nthe switches in your network.\r\nBridge-domain-based analyzer\r\nAn analyzer session configured to use bridge domains for input, output or both.\r\nDefault analyzer\r\nAn analyzer with default mirroring parameters. By default, the mirroring rate is 1 and\r\nthe maximum packet length is the length of the complete packet.\r\nGlobal port mirror\r\nA port mirroring configuration that does not have an instance name. The firewall filter\r\naction port-mirror will be the action for the firewall filter configuration.\r\nInput interface\r\n(also known as\r\nmirrored or\r\nAn interface that copies traffic to the mirror interface. This traffic can be entering or\r\nexiting (ingress or egress) the interface.\r\nA mirrored input interface cannot be used as an output interface to the analyzer device.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 3 of 32\n\nmonitored\r\ninterface)\r\nLAG-based\r\nanalyzer\r\nAn analyzer that has a link aggregation group (LAG) specified as the input (ingress)\r\ninterface in the analyzer configuration.\r\nLocal port\r\nmirroring\r\nA port-mirroring configuration where the mirrored packets are copied to an interface on\r\nthe same switch.\r\nMonitoring station A computer running a protocol analyzer application.\r\nNext-hop based\r\nanalyzer\r\nAn analyzer configuration that uses the next-hop group as the output to an analyzer.\r\nNative analyzer\r\nsession\r\nAn analyzer session that has both input and output definitions in its analyzer\r\nconfiguration.\r\nPolicy-based\r\nmirroring\r\nMirroring of packets that match a firewall filter term. The action analyzer analyzer-name is used in the firewall filter to send specified packets to the analyzer.\r\nPort-based\r\nanalyzer\r\nAn analyzer session whose configuration defines interfaces for both input and output.\r\nPort mirroring\r\ninstance\r\nA port-mirroring configuration that does not specify an input source; it specifies only\r\nan output destination. A firewall filter configuration must be defined for the input\r\nsource. A firewall filter configuration must be defined to mirror packets that match the\r\nmatch conditions defined in the firewall filter term. The action item port-mirror-instance instance-name in the firewall filter configuration is used to send packets to the\r\nanalyzer and these packets form the input source.\r\nUse the port-mirror-instance instance-name action in the firewall filter\r\nconfiguration to send packets to the port mirror.\r\nNote: Port mirroring instance is not supported on NFX150 devices.\r\nProtocol analyzer\r\napplication\r\nAn application used to examine packets transmitted across a network segment. Also\r\ncommonly called network analyzer, packet sniffer, or probe.\r\nOutput interface\r\n(also known as the\r\nmonitor interface)\r\nThe interface to where the copies of packets are sent and to which a device running an\r\nanalyzer is connected.\r\nThe following limitations apply to an output interface (the target mirror interface):\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 4 of 32\n\nCannot also be a source port.\r\nCannot be used for switching.\r\nCannot be an aggregated Ethernet interface (LAG).\r\nCannot participate in Layer 2 protocols, such as Spanning Tree Protocol (STP).\r\nExisting VLAN associations are lost when port mirroring is applied to the\r\ninterface.\r\nPackets are dropped if the capacity of the output interface is insufficient to\r\nhandle the traffic from the mirrored source ports.\r\nOutput IP address\r\nIP address of the device running an analyzer application. The device can be on a remote\r\nnetwork.\r\nWhen you use this feature:\r\nMirrored packets are GRE-encapsulated. The analyzer application must be able\r\nto de-encapsulate GRE-encapsulated packets or the GRE-encapsulated packets\r\nmust be de-encapsulated before reaching the analyzer application. (You can use\r\na network sniffer to de-encapsulate the packets.)\r\nThe output IP address cannot be in the same subnetwork as any of the switch\r\nmanagement interfaces.\r\nIf you create virtual routing instances and an analyzer configuration that\r\nincludes an output IP address, the output IP address belongs to the default virtual\r\nrouting instance (inet.0 routing table).\r\nOutput VLAN\r\n(also known as\r\nmonitor or\r\nanalyzer VLAN)\r\nVLAN to where copies of the packets are sent and to where a device running an\r\nanalyzer is connected. The analyzer VLAN can span multiple switches.\r\nThe following limitations apply to an output VLAN:\r\nCannot be a private VLAN or VLAN range.\r\nCannot be shared by multiple analyzer statements.\r\nCannot be a member of any other VLAN.\r\nCannot be an aggregated Ethernet interface (LAG).\r\nOn some switches, only one interface can be a member of the analyzer VLAN.\r\nThis limitation does not apply on the QFX10000 switch. When ingress traffic is\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 5 of 32\n\nmirrored, multiple QFX10000 interfaces can belong to the output VLAN and\r\ntraffic is mirrored from all of those interfaces. If egress traffic is mirrored on a\r\nQFX10000 switch, only one interface can be a member of the analyzer VLAN.\r\nRemote port\r\nmirroring\r\nFunctions the same as local port mirroring, except that the mirrored traffic is not copied\r\nto a local analyzer port but is flooded to an analyzer VLAN that you create specifically\r\nfor the purpose of receiving mirrored traffic.\r\nYou cannot send mirrored packets to a remote IP address on a QFabric system.\r\nVLAN-based\r\nanalyzer\r\nAn analyzer session whose configuration uses VLANs for both input and output or for\r\neither input or output.\r\nInstance Types\r\nTo configure port mirroring, configure an instance of one of the following types:\r\nAnalyzer instance—Specify the input and output for the instance. This instance type is useful for ensuring\r\nthat all traffic transiting an interface or entering a VLAN is mirrored and sent to the analyzer.\r\nPort-mirroring instance—You create a firewall filter that identifies the desired traffic and copies it to the\r\nmirror port. You do not specify an input for this instance type. This instance type is useful for controlling\r\nthe types of traffic that are mirrored. You can direct traffic to it in the following ways:\r\nSpecify the name of the port-mirroring instance in the firewall filter by using the port-mirror-instance instance-name action when there are multiple port-mirroring instances defined.\r\nSend the mirrored packets to the output interface defined in the instance by using the port-mirror\r\naction when there is only one port-mirroring instance defined.\r\nFor QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600 and EX4650 switches, the following port\r\nmirroring guidelines apply:\r\nA maximum of four port mirroring instances, or four analyzer sessions, can be configured at the same time.\r\nIn other words, you cannot configure four port mirroring instances and four analyzer sessions together.\r\nIf there are no port mirroring instances, (that is, only analyzer sessions are configured), then you can enable\r\nup to three analyzer sessions for ingress and egress mirroring. The remaining analyzer session must be used\r\nfor ingress mirroring only.\r\nIf you have only one port mirroring instance configured, then of the remaining instances, you can configure\r\nup to three analyzers for ingress mirroring, and two analyzers for egress mirroring.\r\nIf you have two port mirroring instance configured, then of the remaining instances, you can configure up\r\nto two analyzers for ingress mirroring, and one analyzer for egress mirroring.\r\nIf you have three port mirroring instance configured, then the remaining instance can only be configured as\r\nan analyzer (for either ingress or egress mirroring),\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 6 of 32\n\nPort Mirroring and STP\r\nThe behavior of STP in a port-mirroring configuration depends on the version of Junos OS you are using:\r\nJunos OS 13.2X50, Junos OS 13.2X51-D25 or earlier, Junos OS 13.2X52: When STP is enabled, port\r\nmirroring might not succeed because STP might block the mirrored packets.\r\nJunos OS 13.2X51-D30, Junos OS 14.1X53: STP is disabled for mirrored traffic. You must ensure that\r\nyour topology prevents loops of this traffic.\r\nConstraints and Limitations\r\nThe following constraints and limitations apply to port mirroring:\r\nMirroring only the packets required for analysis reduces the possibility of reducing overall performance. If you\r\nmirror traffic from multiple ports, the mirrored traffic might exceed the capacity of the output interface. The\r\noverflow packets are dropped. We recommend that you limit the amount of mirrored traffic by selecting specific\r\ninterfaces and avoid using the all keyword. You can also limit the amount of mirrored traffic by using a firewall\r\nfilter to send specific traffic to the port mirroring instance.\r\nYou can create a total of four port-mirroring configurations.\r\nOn EX9200 switches, port mirroring is not supported on EX9200-15C line cards.\r\nEach Node group in a QFabric system is subject to the following constraints:\r\nUp to four of the configurations can be used for local port mirroring.\r\nUp to three of the configurations can be used for remote port mirroring.\r\nRegardless of whether you are configuring a standalone switch or a Node group:\r\nThere can be no more than two configurations that mirror ingress traffic. If you configure a firewall\r\nfilter to send mirrored traffic to a port, this counts as an ingress mirroring configuration for the\r\nswitch or Node group to which the filter is applied.\r\nThere can be no more than two configurations that mirror egress traffic.\r\nOn QFabric systems, there is no system-wide limit on the total number of mirror sessions.\r\nYou can configure only one type of output in one port-mirroring configuration to complete a set analyzer\r\nname output statement:\r\ninterface\r\nip-address\r\nvlan\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 7 of 32\n\nConfigure mirroring in an analyzer (with set forwarding-options analyzer ) on only one logical\r\ninterface for the same physical interface. If you try to configure mirroring on multiple logical interfaces\r\nconfigured on a physical interface, only the first logical interface is successfully configured; the remaining\r\nlogical interfaces return configuration errors.\r\nIf you mirror egress packets, do not configure more than 2000 VLANs on a standalone switch or QFabric\r\nsystem. If you do, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN\r\npackets, not just the mirrored copies.\r\nThe ratio and loss-priority options are not supported.\r\nPackets with physical layer errors are not sent to the output port or VLAN.\r\nIf you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit the\r\noutput interface.\r\nYou cannot mirror packets exiting or entering the following ports:\r\nDedicated Virtual Chassis interfaces\r\nManagement interfaces (me0 or vme0)\r\nFibre Channel interfaces\r\nIntegrated routing and bridging (IRB) interfaces (also known as routed VLAN interfaces or RVIs)\r\nIn a port-mirroring instance, you cannot configure an inet or inet6 interface as the output interface.\r\nThe following switches do not support the set forwarding-options port-mirroring instance\r\n\u003cinstance-name\u003e family inet output interface \u003cinterface-name\u003e configuration:\r\nTable 2: Switches Not Supporting family inet/inet6 as Output Interface\r\nEX Switches QFX Switches\r\nEX2300 QFX3500\r\nEX3400 QFX5100\r\nEX4100 QFX5110\r\nEX4300 QFX5120\r\nEX4400 QFX5130\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 8 of 32\n\nEX Switches QFX Switches\r\nEX4600 QFX5200\r\nEX4650 QFX5210\r\n  QFX5220\r\n  QFX5700\r\nAn aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to\r\nthe analyzer by using a firewall filter.\r\nWhen mirrored packets are sent out of an output interface, they are not modified for any changes that might\r\nbe applied to the original packets on egress, such as CoS rewriting.\r\nAn interface can be the input interface for only one mirroring configuration. Do not use the same interface\r\nas the input interface for multiple mirroring configurations.\r\nCPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.\r\nVLAN-based mirroring is not supported for STP traffic.\r\n(QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and\r\noutput interfaces are on different Node devices, the mirrored copies will have incorrect VLAN IDs.\r\nThis limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and\r\noutput interfaces are on the same Node device. In this case the mirrored copies will have the correct VLAN\r\nIDs (as long as you do not configure more than 2000 VLANs on the QFabric system).\r\nTrue egress mirroring is defined as mirroring the exact number of copies and the exact packet\r\nmodifications that went out the egress port. Because the processors on QFX5100 and EX4600 switches\r\nimplement egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet\r\nmodifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the\r\noriginal traffic.\r\nIf you configure a port-mirroring instance to mirror traffic exiting an interface that performs VLAN\r\nencapsulation, the source and destination MAC addresses of the mirrored packets are not the same as those\r\nof the original packets.\r\nMirroring on member interfaces of a LAG is not supported.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 9 of 32\n\nEgress VLAN mirroring is not supported.\r\nThe following constraints and limitations apply to remote port mirroring:\r\nIf you configure an output IP address, that address cannot be in the same subnetwork as any of the switch\r\nmanagement interfaces.\r\nIf you create virtual routing instances and you create an analyzer configuration that includes an output IP\r\naddress, the output IP address belongs to the default virtual routing instance (inet.0 routing table).\r\nAn output VLAN cannot be a private VLAN or VLAN range.\r\nAn output VLAN cannot be shared by multiple analyzer sessions or port-mirror instances.\r\nAn output VLAN interface cannot be a member of any other VLAN.\r\nAn output VLAN interface cannot be an aggregated Ethernet interface.\r\nIf the output VLAN has more than one member interface, then traffic is mirrored only to the first member\r\nof the VLAN, and other members of the same VLAN do not carry any mirrored traffic.\r\nFor remote port mirroring to an IP address (GRE encapsulation), if you configure more than one analyzer\r\nsession or port-mirror instance, and the IP addresses of the analyzers or port-mirror instance are reachable\r\nthrough the same interface, then only one analyzer session or port-mirror instance will be configured.\r\nThe number of possible output interfaces in remote port mirroring varies among the switches in the\r\nQFX5K line:\r\nQFX5110, QFX5120, QFX5210—Support a maximum of 4 output interfaces\r\nQFX5100 and QFX5200—Support a maximum of 3 output interfaces.\r\nWhenever any member in a remote port mirroring VLAN is removed from that VLAN, reconfigure the\r\nanalyzer session for that VLAN.\r\nConstraints and Limitations for QFX5100 and QFX5200 Switches\r\nThe following considerations apply to port mirroring on QFX5100 and QFX5200 switches:\r\nWhen configuring mirroring with output to IP address, the destination IP address should be reachable, and\r\nARP must be resolved.\r\nECMP (Equal Cost Multiple Path) load balancing is not supported for mirrored destinations.\r\nThe number of output interfaces in remote port mirroring (RSPAN) varies. For QFX5110, QFX5120, and\r\nQFX5210, switches the maximum is four output interfaces. For QFX5100 and QFX5200 switches, the\r\nmaximum is three.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 10 of 32\n\nWhen specifying a link aggregation group (LAG) as the mirroring output interface, a maximum of eight\r\ninterfaces are mirrored.\r\nThe mirroring input can be a LAG, a physical interface with any unit (such as ae0.101 or xe-0/0/0.100), or\r\na sub-interface. In any case, all the traffic on the LAG or physical interface is mirrored.\r\nYou cannot set up an independent mirroring instance on a member interface of a LAG.\r\nAn output interface that is included in one mirroring instance cannot also be used in another mirroring\r\ninstance.\r\nIn a port-mirroring instance, dropped packets in the egress pipeline of forwarding-path are never-the-less\r\nmirrored to the destination. This is because the mirroring action occurs at the ingress pipeline, before the\r\ndrop action.\r\nIn a port-mirroring instance, only one mirror output destination can be specified.\r\nOutput mirror destinations that are configured across multiple port-mirroring or analyzer instances must all\r\nbe unique.\r\nFor ERSPAN IPv6 addresses, egress mirroring is not supported when the output to the analyzer/port-mirroring is a remote IPv6 address. Egress mirror is not supported.\r\nFor local mirroring, the output interface must be family ethernet-switching , with or without VLAN\r\n(that is, not a Layer 3 interface).\r\nWhen configuring a port-mirroring or analyzer instance in a service provider environment, use the VLAN\r\nname rather than the VLAN ID.\r\nPort Mirroring on QFX5230-64CD and QFX5240 Switches\r\nThis section of the document describes a port-mirroring configuration detail that is specific to QFX5230‑64CD\r\nand QFX5240 switches. For general information about port mirroring on switches, see earlier sections in this Port\r\nMirroring and Analyzers document.\r\nUse the values given in the following list to configure the number of mirroring sessions on the QFX5230‑64CD\r\nand QFX5240 switches. These are maximum configuration values for three types of mirroring sessions—ingress\r\nmirrors, egress mirrors, and port-mirroring instances. The values are tuned to make the best use of the total\r\nnumber of available mirroring sessions:\r\nOn QFX5230-64CD:\r\nTotal mirror sessions available: 8\r\nMax. ingress mirror: 5\r\nMax. egress mirror: 3\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 11 of 32\n\nMax. port-mirror: 3\r\nFor example, if you configure 3 port-mirroring instances, you then have a maximum of 5 sessions to split\r\nbetween ingress mirrors and egress mirrors.\r\nOn QFX5240:\r\nTotal mirror sessions available: 7\r\nMax. ingress mirror: 4\r\nMax. egress mirror: 3\r\nMax. port-mirror: 3\r\nFor example, if you configure 1 port-mirroring instance, you then have a maximum of 6 sessions to split\r\nbetween ingress mirrors and egress mirrors.\r\nPort Mirroring on QFX10000 Series Switches\r\nThe following list describes constraints and limitations that apply specifically to QFX10000 Series switches. For\r\ngeneral information about port mirroring on switches, see earlier sections in this Port Mirroring and Analyzers\r\ndocument that do not specifically call out other platform names in the section title.\r\nOnly ingress global port mirroring is supported. You can configure global port mirroring with input\r\nparameters such as rate , run-length , and maximum-packet-length . Egress global port mirroring is\r\nnot supported.\r\nPort mirroring instances are supported only for remote port mirroring. Port mirroring global instances are\r\nsupported for local mirroring.\r\nLocal port mirroring is supported on these firewall filter families only: inet and inet6 .\r\nLocal port mirroring is not supported on firewall filter families any or ccc .\r\nPort Mirroring on QFabric\r\nThe following constraints and limitations apply to local and remote port mirroring:\r\nYou can create a total of four port-mirroring configurations.\r\nEach Node group in a QFabric system is subject to the following constraints:\r\nUp to four of the configurations can be used for local port mirroring.\r\nUp to three of the configurations can be used for remote port mirroring.\r\nRegardless of whether you are configuring a standalone switch or a Node group:\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 12 of 32\n\nThere can be no more than two configurations that mirror ingress traffic. If you configure a firewall\r\nfilter to send mirrored traffic to a port—that is, you use the analyzer action modifier in a filter\r\nterm—this counts as an ingress mirroring configuration for the switch or Node group to which the\r\nfilter is applied.\r\nThere can be no more than two configurations that mirror egress traffic.\r\nOn QFabric systems, there is no system-wide limit on the total number of mirror sessions.\r\nYou can configure only one type of output in one port-mirroring configuration to complete a set analyzer\r\nname output statement:\r\ninterface\r\nip-address\r\nvlan\r\nConfigure mirroring in an analyzer (with set forwarding-options analyzer ) on only one logical\r\ninterface for the same physical interface. If you try to configure mirroring on multiple logical interfaces\r\nconfigured on a physical interface, only the first logical interface is successfully configured; the remaining\r\nlogical interfaces return configuration errors.\r\nIf you mirror egress packets, do not configure more than 2000 VLANs on a QFX Series switch. If you do,\r\nsome VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets, not just the\r\nmirrored copies.\r\nThe ratio and loss-priority options are not supported.\r\nPackets with physical layer errors are not sent to the output port or VLAN.\r\nIf you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit the\r\noutput interface.\r\nYou cannot mirror packets exiting or entering the following ports:\r\nDedicated Virtual Chassis interfaces\r\nManagement interfaces (me0 or vme0)\r\nFibre Channel interfaces\r\nIntegrated routing and bridging (IRB) interfaces (also known as routed VLAN interfaces or RVIs)\r\nAn aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to\r\nthe analyzer by using a firewall filter.\r\nWhen mirrored packets are sent out of an output interface, they are not modified for any changes that might\r\nbe applied to the original packets on egress, such as CoS rewriting.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 13 of 32\n\nAn interface can be the input interface for only one mirroring configuration. Do not use the same interface\r\nas the input interface for multiple mirroring configurations.\r\nCPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.\r\nVLAN-based mirroring is not supported for STP traffic.\r\n(QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and\r\noutput interfaces are on different Node devices, the mirrored copies will have incorrect VLAN IDs.\r\nThis limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and\r\noutput interfaces are on the same Node device. In this case the mirrored copies will have the correct VLAN\r\nIDs (as long as you do not configure more than 2000 VLANs on the QFabric system).\r\nTrue egress mirroring is defined as mirroring the exact number of copies and the exact packet\r\nmodifications that went out the egress port. Because the processors on QFX5xxx (including QFX5100,\r\nQFX5110, QFX5120, QFX5200, and QFX5210) and EX4600 (including EX4600 and EX4650) switches\r\nimplement egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet\r\nmodifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the\r\noriginal traffic.\r\nIf you configure a port-mirroring instance to mirror traffic exiting an interface that performs VLAN\r\nencapsulation, the source and destination MAC addresses of the mirrored packets are not the same as those\r\nof the original packets.\r\nMirroring on member interfaces of a LAG is not supported.\r\nEgress VLAN mirroring is not supported.\r\nPort Mirroring on OCX Series Switches\r\nThe following constraints and limitations apply to port mirroring on OCX Series switches:\r\nYou can create a total of four port-mirroring configurations. There can be no more than two configurations\r\nthat mirror ingress or egress traffic.\r\nIf you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit the\r\noutput interface.\r\nYou can create only one port-mirroring session.\r\nYou cannot mirror packets exiting or entering the following ports:\r\nDedicated Virtual Chassis interfaces\r\nManagement interfaces (me0 or vme0)\r\nFibre Channel interfaces\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 14 of 32\n\nRouted VLAN interfaces or IRB interfaces\r\nAn aggregated Ethernet interface cannot be an output interface.\r\nDo not include an 802.1Q subinterface that has a unit number other than 0 in a port mirroring\r\nconfiguration. Port mirroring does not work with subinterfaces if their unit number is not 0. (You configure\r\n802.1Q subinterfaces by using the vlan-tagging statement.)\r\nWhen packet copies are sent out the output interface, they are not modified for any changes that are\r\nnormally applied on egress, such as CoS rewriting.\r\nAn interface can be the input interface for only one mirroring configuration. Do not use the same interface\r\nas the input interface for multiple mirroring configurations.\r\nCPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.\r\nVLAN-based mirroring is not supported for STP traffic.\r\nPort Mirroring on EX2300, EX3400, and EX4300 Switches\r\nMirroring might be needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast\r\npackets to every port on the destination device. The switch sends packets only to the port to which the destination\r\ndevice is connected.\r\nOverview\r\nConfiguration Guidelines for Port Mirroring and Analyzers on EX2300, EX3400, and EX4300 Switches\r\nOverview\r\nJunos OS running on EX2300, EX3400, and EX4300 Series switches supports the Enhanced Layer 2 Software\r\n(ELS) configurations that facilitate analyzing traffic on these switches at the packet level.\r\nYou use port mirroring to copy packets to a local interface for local monitoring or to a VLAN for remote\r\nmonitoring. You can use analyzers to enforce policies concerning network usage and file sharing, and to identify\r\nsources of problems on your network by locating abnormal or heavy bandwidth usage by specific stations or\r\napplications.\r\nPort mirroring is configured at the [edit forwarding-options port-mirroring] hierarchy level. To mirror\r\nrouted (Layer 3) packets, you can use the port mirroring configuration in which the family statement is set to\r\ninet or inet6 .\r\nYou can use port mirroring to copy these packets:\r\nPackets entering or exiting a port—You can mirror the packets in any combination of packets\r\nentering or exiting ports up to 256 ports.\r\nIn other words, you can send copies of the packets entering some ports and the packets exiting other ports\r\nto the same local analyzer port or analyzer VLAN.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 15 of 32\n\nPackets entering a VLAN—You can mirror the packets entering a VLAN to either a local analyzer port\r\nor to an analyzer VLAN. You can configure up to 256 VLANs, including a VLAN range and PVLANs, as\r\ningress input to an analyzer.\r\nPolicy-based sample packets—You can mirror a policy-based sample of packets that are entering a\r\nport or a VLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored and\r\nsend the sample to a port-mirroring instance or to an analyzer VLAN.\r\nYou can configure port mirroring on the switch to send copies of Unicast traffic to an output destination such as an\r\ninterface, a routing-instance, or a VLAN. Then, you can analyze the mirrored traffic by using a protocol analyzer\r\napplication. The protocol analyzer application can run either on a computer connected to the analyzer output\r\ninterface or on a remote monitoring station. For the input traffic, you can configure a firewall filter term to specify\r\nwhether port mirroring must be applied to all packets at the interface to which the firewall filter is applied. You\r\ncan apply a firewall filter configured with the action port-mirror or port-mirror-instance name to the input\r\nor output logical interfaces (including aggregated Ethernet logical interfaces), to traffic forwarded or flooded to a\r\nVLAN, or traffic forwarded or flooded to a VPLS routing instance. EX2300, EX3400, and EX4300 switches\r\nsupport port mirroring of VPLS ( family ethernet-switching or family vpls ) traffic and VPN traffic with\r\nfamily ccc in a Layer 2 environment.\r\nWithin a firewall filter term, you can specify the port-mirroring properties under the then statement in the\r\nfollowing ways:\r\nImplicitly reference the port-mirroring properties in effect on the port.\r\nExplicitly reference a particular named instance of port mirroring.\r\nConfiguration Guidelines for Port Mirroring and Analyzers on EX2300, EX3400, and EX4300\r\nSwitches\r\nWhen you configure port mirroring we recommend that you follow certain guidelines to ensure that you obtain\r\noptimum benefit from mirroring. Additionally, we recommend that you disable mirroring when you are not using\r\nit and that you select specific interfaces for which packets must be mirrored (that is, select specific interfaces as\r\ninput to the analyzer) in preference to using the all keyword option that enables mirroring on all interfaces and\r\ncan impact overall performance. Mirroring only the necessary packets reduces any potential performance impact.\r\nWith local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output\r\ninterface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must\r\nconsider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.\r\nYou can configure an analyzer at the [edit forwarding-options analyzer] hierarchy.\r\nNote:\r\nTrue egress mirroring is defined as mirroring the exact number of copies and the exact packet modifications that\r\nwent out the egress switched port. Because the processor on EX2300 and EX3400 switches implements egress\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 16 of 32\n\nmirroring in the ingress pipeline, those switches do not provide accurate egress packet modifications, so egress\r\nmirrored traffic can carry VLAN tags that differ from the tags in the original traffic.\r\nTable 3 summarizes additional configuration guidelines for mirroring on EX2300, EX3400, and EX4300 switches.\r\nTable 3: Configuration Guidelines for Port Mirroring and Analyzers on EX2300, EX3400, and EX4300 Switches\r\nGuideline Value or Support Information Comment\r\nNumber of VLANs that you\r\ncan use as ingress input to an\r\nanalyzer.\r\n256\r\nNumber of port-mirroring\r\nsessions and analyzers that\r\nyou can enable concurrently.\r\n4\r\nYou can configure a total of four\r\nsessions and you can enable only one of\r\nthe following at any point in time:\r\nA maximum of four port-mirroring sessions (including the\r\nglobal port-mirroring session).\r\nA maximum of four analyzer\r\nsessions.\r\nA combination of port-mirroring\r\nand analyzer sessions, and the\r\ntotal of this combination must be\r\nfour.\r\nYou can configure more than the\r\nspecified number of port-mirroring\r\ninstances or analyzers on the switch, but\r\nyou can enable only the specified\r\nnumber for a session.\r\nTypes of ports on which you\r\ncannot mirror traffic.\r\nVirtual Chassis ports\r\n(VCPs)\r\nManagement Ethernet\r\nports (me0 or vme0)\r\nIntegrated routing and\r\nbridging (IRB)\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 17 of 32\n\nGuideline Value or Support Information Comment\r\ninterfaces; also known as\r\nrouted VLAN interfaces\r\n(RVIs).\r\nVLAN-tagged Layer 3\r\ninterfaces\r\nProtocol families that you\r\ncan include in a port-mirroring configuration for\r\nremote traffic.\r\nany\r\nTraffic directions that you\r\ncan configure for mirroring\r\non ports in firewall-filter–\r\nbased configurations.\r\nIngress and egress\r\nMirrored packets exiting an\r\ninterface that reflect rewritten\r\nclass-of-service (CoS) DSCP\r\nor 802.1p bits.\r\nApplicable\r\nPackets with physical layer\r\nerrors.\r\nApplicable\r\nPackets with these errors are filtered out\r\nand thus are not sent to the analyzer.\r\nPort mirroring does not\r\nsupport line-rate traffic.\r\nApplicable\r\nPort mirroring for line-rate traffic is\r\ndone on a best-effort basis.\r\nMirroring of packets\r\negressing a VLAN.\r\nNot supported\r\nPort-mirroring or analyzer\r\noutput on a LAG interface.\r\nSupported\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 18 of 32\n\nGuideline Value or Support Information Comment\r\nMaximum number of child\r\nmembers on a port-mirroring\r\nor analyzer output LAG\r\ninterface.\r\n8\r\nMaximum number of\r\ninterfaces in a remote port-mirroring or analyzer VLAN.1\r\nEgress mirroring of host-generated control packets.\r\nNot Supported\r\nConfiguring Layer 3 logical\r\ninterfaces in the input\r\nstanza of an analyzer.\r\nNot supported\r\nThis functionality can be achieved by\r\nconfiguring port mirroring.\r\nThe analyzer input and\r\noutput stanzas containing\r\nmembers of the same VLAN\r\nor the VLAN itself must be\r\navoided.\r\nApplicable\r\nPort Mirroring on ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300,\r\nEX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches\r\nJuniper Networks Junos operating system (Junos OS) running on ACX7024, ACX7100, ACX7509, EX2200,\r\nEX3200, EX3300, EX4200, EX4500, EX4550, EX6200 or EX8200 Series switches does not support Enhanced\r\nLayer 2 Software (ELS) configurations. As such, Junos OS does not include the port-mirroring statement\r\nfound at the edit forwarding-options level of the hierarchy of other Junos OS packages, or the port-mirror\r\naction in firewall filter terms.\r\nYou can use port mirroring to facilitate analyzing traffic on your Juniper Networks EX Series Ethernet Switch on\r\na packet level. You might use port mirroring as part of monitoring switch traffic for such purposes as enforcing\r\npolicies concerning network usage and file sharing and for identifying sources of problems on your network by\r\nlocating abnormal or heavy bandwidth usage by particular stations or applications.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 19 of 32\n\nYou can use port mirroring to copy these packets to a local interface or to a VLAN:\r\nPackets entering or exiting a port\r\nYou can send copies of the packets entering some ports and the packets exiting other ports to the same\r\nlocal analyzer port or analyzer VLAN.\r\nPackets entering a VLAN on ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300, EX4200,\r\nEX4500, EX4550, or EX6200 switches\r\nPackets exiting a VLAN on EX8200 switches\r\nOverview\r\nConfiguration Guidelines for ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300, EX4200,\r\nEX4500, EX4550, EX6200, and EX8200 Series Switches\r\nOverview\r\nPort mirroring is used for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to\r\nevery port on the destination device. The switch sends packets only to the port to which the destination device is\r\nconnected.\r\nYou configure port mirroring on the switch to send copies of Unicast traffic to either a local analyzer port or an\r\nanalyzer VLAN. Then you can analyze the mirrored traffic by using a protocol analyzer. The protocol analyzer\r\ncan run either on a computer connected to the analyzer output interface or on a remote monitoring station.\r\nYou can use port mirroring to mirror any of the following:\r\nPackets entering or exiting a port—You can mirror the packets in any combination of packets\r\nentering or exiting ports up to 256 ports.\r\nIn other words, you can send copies of the packets entering some ports and the packets exiting other ports\r\nto the same local analyzer port or analyzer VLAN.\r\nPackets entering a VLAN on an ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300,\r\nEX4200, EX4500, EX4550, or EX6200 switch—You can mirror the packets entering a VLAN on an\r\nanalyzer VLAN. On EX3200, EX4200, EX4500, and EX4550 switches, you can configure multiple\r\nVLANs (up to 256 VLANs), including a VLAN range and PVLANs, as ingress input to an analyzer.\r\nPackets exiting a VLAN on an EX8200 switch—You can mirror the packets exiting a VLAN on an\r\nEX8200 switch to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs\r\n(up to 256 VLANs), including a VLAN range and PVLANs, as egress input to an analyzer.\r\nStatistical samples—You can mirror a statistical sample of packets that are:\r\nEntering or exiting a port\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 20 of 32\n\nEntering a VLAN on an ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300, EX4200,\r\nEX4500, EX4550, or EX6200 switch\r\nExiting a VLAN on an EX8200 switch\r\nYou specify the sample number of packets by setting the ratio. You can send the sample to either a local\r\nanalyzer port or to an analyzer VLAN.\r\nPolicy-based sample—You can mirror a policy-based sample of packets that are entering a port or a\r\nVLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored. You can\r\nsend the sample to a local analyzer port or to an analyzer VLAN.\r\nConfiguration Guidelines for ACX7024, ACX7100, ACX7509, EX2200, EX3200, EX3300, EX4200,\r\nEX4500, EX4550, EX6200, and EX8200 Series Switches\r\nWhen you configure port mirroring, we recommend that you follow certain guidelines to ensure that you obtain\r\noptimum benefit from the port mirroring feature. Additionally, we recommend that you disable port mirroring\r\nwhen you are not using it and that you select specific interfaces for which packets must be mirrored (that is, select\r\nspecific interfaces as input to the analyzer) as opposed to using the all keyword that enables port mirroring on\r\nall interfaces and can impact overall performance. You can also limit the amount of mirrored traffic by using\r\nstatistical sampling, setting a ratio to select a statistical sample, or using a firewall filter. Mirroring only the\r\nnecessary packets reduces any potential performance impact.\r\nWith local port mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output\r\ninterface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must\r\nconsider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.\r\nNote:\r\nOn ACX5448 routers, under the [ edit forwarding-options analyzer an input egress ] hierarchy level,\r\nanalyser input must be configured only on .0 logical interfaces for ingress and egress interfaces. If you configure\r\nlogical interfaces other than .0, then an error is shown during commit. The following is a sample commit error\r\nshown when the analyzer input is configured .100 logical interface:\r\ncontent_copy zoom_out_map\r\n[edit forwarding-options analyzer an input egress]\r\n 'interface ge-0/0/12.100'\r\n Analyzer input can only be on .0 interfaces\r\nerror: configuration check-out failed\r\nNote: “All other switches” or “All switches” in the description apply to all switch platforms that support port\r\nmirroring. For details on platform support, see Feature Explorer.\r\nTable 4: Configuration Guidelines\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 21 of 32\n\nGuideline Description Comment\r\nNumber of VLANs that you can\r\nuse as ingress input to an\r\nanalyzer\r\n16 Ingress or 8\r\nIngress and 8 Egress\r\n—ACX7024 devices\r\n1—EX2200 switches\r\n256—EX3200,\r\nEX4200, EX4500,\r\nEX4550, and\r\nEX6200 switches\r\nDoes not apply—\r\nEX8200 switches\r\n \r\nNumber of analyzers that you can\r\nenable concurrently (applies to\r\nboth standalone switches and to\r\nVirtual Chassis)\r\n1—EX2200,\r\nEX3200, EX4200,\r\nEX3300, and\r\nEX6200 switches\r\n7 port-based or 1\r\nglobal—EX4500 and\r\nEX4550 switches\r\n7 total, with one\r\nbased on a VLAN,\r\nfirewall filter, or\r\nLAG and with the\r\nremaining 6 based on\r\nfirewall filters—\r\nEX8200 switches\r\nNote:\r\nAn analyzer\r\nconfigured using a\r\nfirewall filter does\r\nnot support mirroring\r\nof packets that are\r\negressing ports.\r\nYou can configure more than the\r\nspecified number of analyzers on\r\nthe switch, but you can enable\r\nonly the specified number for a\r\nsession. Use disable\r\nethernet-switching-options\r\nanalyzer name to disable an\r\nanalyzer.\r\nSee the next row entry in this\r\ntable for the exception to the\r\nnumber of firewall-filter–based\r\nanalyzers allowed on EX4500\r\nand EX4550 switches.\r\nOn an EX4550 Virtual Chassis,\r\nyou can configure only one\r\nanalyzer if ports in the input and\r\noutput definitions are on\r\ndifferent switches in a Virtual\r\nChassis. To configure multiple\r\nanalyzers, an entire analyzer\r\nsession must be configured on\r\nthe same switch of a Virtual\r\nChassis.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 22 of 32\n\nGuideline Description Comment\r\nNumber of firewall-filter–based\r\nanalyzers that you can configure\r\non EX4500 and EX4550\r\nswitches\r\n1—EX4500 and\r\nEX4550 switches\r\nIf you configure multiple analyzers, you\r\ncannot attach any of them to a firewall\r\nfilter.\r\nTypes of ports on which you\r\ncannot mirror traffic\r\nVirtual Chassis ports\r\n(VCPs)\r\nManagement\r\nEthernet ports (me0\r\nor vme0)\r\nRouted VLAN\r\ninterfaces (RVIs)\r\nVLAN-tagged Layer\r\n3 interfaces\r\n \r\nIf port mirroring is configured to\r\nmirror packets exiting 10-Gigabit\r\nEthernet ports on EX8200\r\nswitches, packets are dropped in\r\nboth network and mirrored traffic\r\nwhen the mirrored packets\r\nexceed 60 percent of the 10-\r\nGigabit Ethernet port traffic.\r\nEX8200 switches  \r\nTraffic directions for which you\r\ncan specify a ratio\r\nIngress only—\r\nEX8200 switches\r\nIngress and egress—\r\nAll other switches\r\n \r\nProtocol families that you can\r\ninclude in a firewall-filter-based\r\nremote analyzer\r\nAny except inet\r\nand inet6 —\r\nEX8200 switches\r\nYou can use inet and inet6 on\r\nEX8200 switches in a local analyzer.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 23 of 32\n\nGuideline Description Comment\r\nAny—All other\r\nswitches\r\nTraffic directions that you can\r\nconfigure for mirroring on ports\r\nin firewall-filter–based\r\nconfigurations\r\nIngress only—All\r\nswitches\r\n \r\nMirrored packets on tagged\r\ninterfaces might contain an\r\nincorrect VLAN ID or Ethertype.\r\nBoth VLAN ID and\r\nEthertype—EX2200\r\nswitches\r\nVLAN ID only—\r\nEX3200 and EX4200\r\nswitches\r\nEthertype only—\r\nEX4500 and EX4550\r\nswitches\r\nDoes not apply—\r\nEX8200 switches\r\n \r\nMirrored packets exiting an\r\ninterface do not reflect rewritten\r\nclass-of-service (CoS) DSCP or\r\n802.1p bits.\r\nAll switches  \r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 24 of 32\n\nGuideline Description Comment\r\nThe analyzer appends an\r\nincorrect 802.1Q ( dot1q )\r\nheader to the mirrored packets on\r\nthe routed traffic or does not\r\nmirror any packets on the routed\r\ntraffic when an egress VLAN\r\nthat belongs to a routed VLAN\r\ninterface (RVI) is configured as\r\nthe input for that analyzer.\r\nEX8200 switches\r\nDoes not apply—All\r\nother switches\r\nAs a workaround, configure an analyzer\r\nthat uses each port (member interface)\r\nof the VLAN as egress input.\r\nPackets with physical layer errors\r\nare not sent to the local or remote\r\nanalyzer.\r\nAll switches\r\nPackets with these errors are filtered out\r\nand thus are not sent to the analyzer.\r\nPort mirroring configuration on a\r\nLayer 3 interface with the output\r\nconfigured to a VLAN is not\r\navailable on EX8200 switches.\r\nEX8200 switches\r\nDoes not apply—All\r\nother switches\r\n \r\nPort mirroring does not support\r\nline-rate traffic.\r\nAll switches\r\nPort mirroring for line-rate traffic is\r\ndone on a best-effort basis.\r\nIn an EX8200 Virtual Chassis, to\r\nmirror traffic across the Virtual\r\nChassis, the output port must be a\r\nLAG.\r\nEX8200 Virtual\r\nChassis\r\nDoes not apply—All\r\nother switches\r\nIn an EX8200 Virtual Chassis:\r\nYou can configure LAG as a\r\nmonitor port only for native\r\nanalyzers.\r\nYou cannot configure LAG as a\r\nmonitor port for analyzers based\r\non firewall filters.\r\nIf an analyzer configuration\r\ncontains LAG as a monitor port,\r\nthen you cannot configure\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 25 of 32\n\nGuideline Description Comment\r\nVLAN in the input definition of\r\nan analyzer.\r\nIn standalone EX8200 switches,\r\nyou can configure LAG in the\r\noutput definition.\r\nEX8200 standalone\r\nswitches\r\nDoes not apply—All\r\nother switches\r\nIn EX8200 standalone switches:\r\nYou can configure a LAG as a\r\nmonitor port on both native and\r\nfirewall-based analyzers.\r\nIf a configuration contains LAG\r\nas a monitor port, then you\r\ncannot configure VLAN in the\r\ninput definition of an analyzer.\r\nPort Mirroring on SRX Series Firewalls\r\nPort mirroring copies packets entering or exiting a port and sends the copies to a local interface for monitoring.\r\nPort mirroring is used to send traffic to applications that analyze traffic for purposes such as monitoring\r\ncompliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events,\r\nand so on. \u003c/para\u003e\u003cpara\u003ePort mirroring is used to send a copy of all the packets or only the sampled packets seen\r\non a port to a network monitoring connection. You can mirror the packets either on the incoming port (ingress port\r\nmirroring) or the outgoing port (egress port mirroring).\r\nPort mirroring is supported only on the SRX Series Firewalls with the following I/O cards:\r\nSRX1K-SYSIO-GE\r\nSRX1K-SYSIO-XGE\r\nSRX3K-SFB-12GE\r\nSRX3K-2XGE-XFP\r\nSRX5K-FPC-IOC Flex I/O\r\nOn SRX Series Firewalls, all packets passing through the mirrored port are copied and sent to the specified\r\nmirror-to port. These ports must be on the same Broadcom chipset in the I/O cards.\r\nOn SRX Series Firewalls, port mirroring works on physical interfaces only.\r\nUnderstanding Layer 2 Port Mirroring\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 26 of 32\n\nOn routing platforms and switches that contain an Internet Processor II ASIC, you can send a copy of any\r\nincoming packet from the routing platform or switch to an external host address or a packet analyzer for analysis.\r\nThis is known as port mirroring.\r\nIn Junos OS Release 9.3 and later, Juniper Networks MX Series 5G Universal Routing Platforms in a Layer 2\r\nenvironment support port mirroring for Layer 2 bridging traffic and virtual private LAN service (VPLS) traffic.\r\nIn Junos OS Release 9.4 and later, MX Series routers in a Layer 2 environment support port mirroring for Layer 2\r\nVPN traffic over a circuit cross-connect (CCC) that transparently connects logical interfaces of the same type.\r\nIn Junos OS Release 12.3R2, Juniper Networks EX Series switches support port mirroring for Layer 2 bridging\r\ntraffic.\r\nLayer port mirroring enables you to specify the manner in which incoming and outgoing packets at specified ports\r\nare monitored and the manner in which copies of selected packets are forwarded to another destination, where the\r\npackets can be analyzed.\r\nMX Series routers and EX Series switches support Layer 2 port mirroring by performing flow monitoring\r\nfunctions by using a class-of-service (CoS) architecture that is in concept similar to, but in particular different\r\nfrom, other routing platforms and switches.\r\nLike the M120 Multiservice Edge Router and M320 Multiservice Edge Router, MX Series routers and EX Series\r\nswitches support the mirroring of IPv4, IPv6, and VPLS packets simultaneously.\r\nIn a Layer 3 environment, MX Series routers and EX Series switches support the mirroring of IPv4 ( family\r\ninet ) and IPv6 ( family inet6 ) traffic. For information about Layer 3 port mirroring, see the Routing Policies,\r\nFirewall Filters, and Traffic Policers User Guide.\r\nLayer 2 Port Mirroring Properties\r\nPort mirroring specifies the following types of properties:\r\nPacket-Selection\r\nPacket Address Family\r\nMirror Destination Properties\r\nMirror-Once Option\r\nPacket-Selection\r\nThe packet-selection properties of Layer 2 port-mirroring specify how the sampled packets are to be selected for\r\nmirroring:\r\nThe number of packets in each sample.\r\nThe number of packets to mirror from each sample.\r\nThe length to which mirrored packets are to be truncated.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 27 of 32\n\nPacket Address Family\r\nThe packet address family type specifies the type of traffic to be mirrored. In a Layer 2 environment, MX Series\r\nrouters and EX Series switches support port mirroring for the following packet address families:\r\nFamily type ethernet-switching —For mirroring VPLS traffic when the physical interface is configured\r\nwith encapsulation type ethernet-bridge .\r\nFamily type ccc —For mirroring Layer 2 VPN traffic.\r\nFamily type vpls —For mirroring VPLS traffic.\r\nNote:\r\nIn typical applications, you send mirrored packets directly to an analyzer, not to another router or switch. If you\r\nmust send mirrored packets over a network, you should use tunnels. For Layer 2 VPN implementations, you can\r\nuse the Layer 2 VPN routing instance type l2vpn to tunnel the packets to a remote destination.\r\nFor information about configuring a routing instance for Layer 2 VPN, see the Junos OS VPNs Library for\r\nRouting Devices. For a detailed Layer 2 VPN example configuration, see Junos OS. For information about tunnel\r\ninterfaces, see the Junos OS Network Interfaces Library for Routing Devices.\r\nMirror Destination Properties\r\nFor a given packet address family, the mirror destination properties of a Layer 2 port-mirroring instance specify\r\nhow the selected packets are to be sent on a particular physical interface:\r\nThe physical interface on which to send the selected packets.\r\nWhether filter checking is to be disabled for the mirror destination interface. By default, filter checking is\r\nenabled on all interfaces.\r\nNote:\r\nIf you apply a filter to an interface that is also a Layer 2 port-mirroring destination, a commit failure occurs\r\nunless you have disabled filter checking for that mirror destination interface .\r\nMirror-Once Option\r\nIf port mirroring is enabled at both ingress and egress interfaces, you can prevent the MX Series router and an EX\r\nSeries switch from sending duplicate packets to the same destination (which would complicate the analysis of the\r\nmirrored traffic).\r\nNote:\r\nThe mirror-once port-mirroring option is a global setting. The option is independent of the packet selection\r\nproperties and the packet family type-specific mirror destination properties.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 28 of 32\n\nApplication of Layer 2 Port Mirroring Types\r\nYou can apply different sets of Layer 2 port-mirroring properties to the VPLS packets at different ingress or egress\r\npoints of an MX Series or of an EX Series route.\r\nTable 5 describes the three types of Layer 2 port mirroring that you can configure on an MX Series routers and\r\nEX Series switches, the: global instance, named instances, and firewall filters.\r\nTable 5: Application of Layer 2 Port Mirroring Types\r\nType of\r\nLayer 2 Port Mirroring\r\nDefinition\r\nPoint of\r\nApplication\r\nScope of\r\nMirroring\r\nDescription\r\nConfiguration\r\nDetails\r\nGlobal Instance of\r\nLayer 2 Port Mirroring\r\nAll ports in\r\nthe MX\r\nSeries router\r\n(or switch)\r\nchassis.\r\nVPLS\r\npackets\r\nreceived on\r\nall ports in\r\nthe MX\r\nSeries router\r\n(or switch)\r\nchassis.\r\nIf configured, the global\r\nport-mirroring properties\r\nimplicitly apply to all the\r\nVPLS packets received\r\non all ports in the router\r\n(or switch) chassis.\r\nSee Configuring\r\nthe Global\r\nInstance of Layer\r\n2 Port Mirroring\r\nNamed Instance of\r\nLayer 2 Port Mirroring Ports\r\ngrouped at\r\nthe FPC level\r\nSee Binding\r\nLayer 2 Port\r\nMirroring to\r\nPorts\r\nGrouped at\r\nthe FPC\r\nLevel.\r\nVPLS\r\npackets\r\nreceived on\r\nports\r\nassociated\r\nwith a\r\nspecific\r\nDPC or FPC\r\nand its\r\nPacket\r\nForwarding\r\nEngines.\r\nOverrides any port-mirroring properties\r\nconfigured by the global\r\nport-mirroring instance.\r\nSee Defining a\r\nNamed Instance\r\nof Layer 2 Port\r\nMirroring.\r\nThe number of\r\nport-mirroring\r\ndestinations\r\nsupported for an\r\nMX Series router\r\nand for an EX\r\nSeries switch are\r\nlimited to the\r\nnumber of Packet\r\nForwarding\r\nEngines\r\ncontained on the\r\nDPCs or FPCs\r\ninstalled in the\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 29 of 32\n\nType of\r\nLayer 2 Port Mirroring\r\nDefinition\r\nPoint of\r\nApplication\r\nScope of\r\nMirroring\r\nDescription\r\nConfiguration\r\nDetails\r\nrouter or switch\r\nPorts chassis.\r\ngrouped at\r\nthe PIC level\r\nSee Binding\r\nLayer 2 Port\r\nMirroring to\r\nPorts\r\nGrouped at\r\nthe PIC\r\nLevel.\r\nVPLS\r\npackets\r\nreceived on\r\nports\r\nassociated\r\nwith a\r\nspecific\r\nPacket\r\nForwarding\r\nEngine.\r\nOverrides any port-mirroring properties\r\nconfigured at the FPC\r\nlevel or in the global\r\nport-mirroring instance.\r\nLayer 2 Port-Mirroring\r\nFirewall Filter Logical\r\ninterface\r\n(including an\r\naggregated\r\nEthernet\r\ninterface)\r\nSee Applying\r\nLayer 2 Port\r\nMirroring to\r\na Logical\r\nInterface.\r\nVPLS\r\npackets\r\nreceived or\r\nsent on a\r\nlogical\r\ninterface.\r\nIn the firewall filter\r\nconfiguration, include\r\naction and action-modifier terms to apply\r\nto the packets selected\r\nfor mirroring:\r\nThe\r\naccept action is\r\nrecommended.\r\nThe port-mirror modifier\r\nimplicitly\r\nreferences the\r\nport-mirroring\r\nproperties\r\ncurrently bound to\r\nthe underlying\r\nphysical\r\ninterfaces.\r\nThe port-mirror-instance\r\npm-instance-See Defining a\r\nLayer 2 Port-Mirroring\r\nFirewall Filter.\r\nNote:\r\nLayer 2 port-mirroring firewall\r\nfilters are\r\nnot supported for\r\nlogical systems.\r\nFor mirroring\r\ntunnel interface\r\ninput packets to\r\nmultiple\r\ndestinations, also\r\nsee Defining a\r\nNext-Hop Group\r\nfor Layer 2 Port\r\nMirroring.\r\nVLAN\r\nforwarding\r\ntable or flood\r\ntable\r\nSee Applying\r\nLayer 2 Port\r\nMirroring to\r\nTraffic\r\nLayer 2\r\ntraffic\r\nforwarded\r\nor flooded to\r\na VLAN\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 30 of 32\n\nType of\r\nLayer 2 Port Mirroring\r\nDefinition\r\nPoint of\r\nApplication\r\nScope of\r\nMirroring\r\nDescription\r\nConfiguration\r\nDetails\r\nname modifier\r\nexplicitly\r\nreferences a\r\nnamed instance of\r\nport mirroring.\r\n(Optional) For\r\ntunnel interface\r\ninput packets\r\nonly, to mirror the\r\npackets to\r\nadditional\r\ndestinations,\r\ninclude the next-hop-group next-hop-group-name\r\nmodifier. This\r\nmodifier\r\nreferences a next-hop-group that\r\nspecifies the next-hop addresses (for\r\nsending additional\r\ncopies of packets\r\nto an analyzer).\r\nForwarded or\r\nFlooded to a\r\nBridge\r\nDomain.\r\nVPLS\r\nrouting\r\ninstance\r\nforwarding\r\ntable or flood\r\ntable\r\nSee Applying\r\nLayer 2 Port\r\nMirroring to\r\nTraffic\r\nForwarded or\r\nFlooded to a\r\nVPLS\r\nRouting\r\nInstance.\r\nLayer 2\r\ntraffic\r\nforwarded\r\nor flooded to\r\na VPLS\r\nrouting\r\ninstance\r\nRestrictions on Layer 2 Port Mirroring\r\nThe following restrictions apply to Layer 2 port mirroring:\r\nOnly Layer 2 transit data (packets that contain chunks of data transiting the routing platform or switch as\r\nthey are forwarded from a source to a destination) can be mirrored. Layer 2 local data (packets that contain\r\nchunks of data that are destined for or sent by the Routing Engine, such as Layer 2 control packets) are not\r\nmirrored.\r\nIf you apply a port-mirroring filter to the output of a logical interface, only Unicast packets are mirrored.\r\nTo mirror Broadcast packets, Multicast packets, Unicast packets with an unknown destination media access\r\ncontrol (MAC) address, or packets with a MAC entry in the destination MAC (DMAC) routing table, apply\r\na filter to the input to the flood table of a VLAN or virtual private LAN service (VPLS) routing instance.\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 31 of 32\n\nThe mirror destination device should be on a dedicated VLAN and should not participate in any bridging\r\nactivity; the mirror destination device should not have a bridge to the ultimate traffic destination, and the\r\nmirror destination device should not send the mirrored packets back to the source address.\r\nFor either the global port-mirroring instance or a named port-mirroring instance, you can configure only\r\none mirror output interface per port-mirroring instance and packet address family. If you include more than\r\none interface statement under the family(ethernet-switching|ccc|vpls)output statement, the\r\nprevious interface statement is overridden.\r\nLayer 2 port-mirroring firewall filtering is not supported for logical systems.\r\nIn a Layer 2 port-mirroring firewall filter definition, the action-modifier filter ( port-mirror or port-mirror-instance\r\npm-instance-name ) relies on port-mirroring properties defined in the global instance or\r\nnamed instances of Layer 2 port mirroring, which are configured under the [edit forwarding-options\r\nport-mirroring] hierarchy. Therefore, the term filter cannot support Layer 2 port mirroring for logical\r\nsystems.\r\nFor a Layer 2 port mirroring firewall filter in which you implicitly reference Layer 2 port mirroring\r\nproperties by including the port-mirror statement, if multiple named instances of Layer 2 port mirroring\r\nare bound to the underlying physical interface, then only the first binding in the stanza (or the only binding)\r\nis used at the logical interface. This is done for backward compatibility.\r\nLayer 2 port-mirroring firewall filters do not support the use of next-hop subgroups for load-balancing\r\nmirrored traffic.\r\nSource: https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html"
	],
	"report_names": [
		"port-mirroring-ex-series.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42993772fa2798f1dde0380574646dd209f9a0d2.pdf",
		"text": "https://archive.orkl.eu/42993772fa2798f1dde0380574646dd209f9a0d2.txt",
		"img": "https://archive.orkl.eu/42993772fa2798f1dde0380574646dd209f9a0d2.jpg"
	}
}