08-13-2012 09:41 AM
We currently have a Cisco 6509 core switch that is being replaced with a stack of two EX4500s. On our 6509 we have port mirroring setup using these statements:
Monitor session 1 source interface Gi4/45
Monitor session 1 destination interface Gi4/43 – 44
In essence we are sending all the traffic from my router (port 4/45) to a content filter (port 4/43) AND a network analyzer box (port 4/44). It appears that this type of port mirroring cannot be setup on the EX4500. In other words using the EX4500 I can send traffic from my router to my content filter OR my network analyzer box, but not both.
Is this correct?
08-13-2012 02:26 PM
Configuring Port Mirroring to Analyze Traffic (CLI Procedure)
Restrictions on Layer 2 Port Mirroring
The following restrictions apply to Layer 2 port mirroring:
In a Layer 2 port-mirroring firewall filter definition, the filter action-modifier (port-mirror or port-mirror-instance pm-instance-name) relies on port-mirroring properties defined in the global instance or named instances of Layer 2 port mirroring, which are configured under the [edit forwarding-options port-mirroring] hierarchy. Therefore, the filter term cannot support Layer 2 port mirroring for logical systems.
You configure port mirroring in order to copy packets so that you can analyze traffic using a protocol analyzer application. You can mirror traffic entering or exiting an interface, or entering a VLAN. You can send the mirrored packets to a local interface to monitor traffic locally or to a VLAN to monitor traffic remotely.
We recommend that you disable port mirroring when you are not using it and select specific input interfaces in preference to using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter or the ratio keyword to mirror only a selection of packets.
Note: If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.
Note: Interfaces used as input or output for a port mirror analyzer must be configured as family ethernet-switching.
Configuring Port Mirroring for Local Traffic Analysis
To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:
When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch.
Configuring Port Mirroring for Remote Traffic Analysis
To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.
Filtering the Traffic Entering a Port Mirroring Analyzer
To filter which packets are mirrored to an analyzer, create the analyzer, then use it as the action in the firewall filter. You can use firewall filters in both local and remote port mirroring configurations.
If the same analyzer is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. The action of the firewall filter provides the input to the analyzer.
To configure port mirroring with filters:
This example shows a firewall filter called example-filter, with two terms:
08-13-2012 02:33 PM
My response was too quick. Sorry the for overload...it could still help someone else anyway
But to answer your question, when you send output to the vlan, you should be able to connect your analyzer to one of the interfaces in that vlan and then to connect to other the other interfaces what ever you want. ". You can send the mirrored packets to a local interface to monitor traffic locally or to a VLAN to monitor traffic remotely"
It would seem like you can configure multiple analyzers and send them to where you desire. I am almost certain I read this a few weeks ago, but cannot remember where. If I find it, I will post it here later.
08-13-2012 03:40 PM
I found the following which seem to confirm your thoughts. Here is a suggestion, which i have no way of testing, but you could try mirroring to a vlan. Then the ports you have in that vlan, disable mac-address learning, essentially making them act as a hub, and connect one port to the analyzer and one to the content filter. I do not have the facilites to test it at this time. I hope this helps some way or another.
Limitations of Port Mirroring
Port mirroring on EX Series switches has the following limitations:
On an EX2200 switch, you cannot configure multiple VLANs (including a VLAN range or PVLANs) as ingress input to an analyzer.
On an EX2200, EX3200, EX4200, or EX4500 switch, you can enable only one analyzer (port mirroring configuration).
On EX8200 switches, you can configure seven analyzers (port mirroring configurations). Of these, one can be configured for input and output, the others only for output configured using firewall filters—the action of the firewall filters provides the input to the analyzers.
An analyzer configured using a firewall filter does not support mirroring of packets that are egressing ports.
Packets with physical layer errors are filtered out and thus are not sent to the analyzer port or analyzer VLAN.
You cannot mirror packets exiting or entering the following ports:
Dedicated Virtual Chassis ports (VCPs)
Management port (me0 or vme0)
Routed VLAN interfaces (RVIs) and VLAN-tagged L3 interfaces
On EX2200, EX3200, EX4200, and EX4500 switches, mirrored packets exiting a tagged interface might contain an incorrect VLAN ID and Ethertype.