Hi schoberw,
Greetings, this is possible here is a sample of the configuration that would do the job:
Configuring Port Mirroring for Remote Traffic Analysis (ELS)
To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:
Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:
[edit]
user@switch# set vlans remote-analyzer vlan-id 999
Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
[edit]
user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
Configure the analyzer. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
[edit forwarding-options]
user@switch# set analyzer employee-monitor loss-priority high
Specify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:
[edit forwarding-options]
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0
Specify the remote-analyzer VLAN as the output for the analyzer:
[edit forwarding-options]
user@switch#set analyzer employee-monitor output vlan 999
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit forwarding-options]
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.
Source: https://kb.juniper.net/InfoCenter/index?page=content&id=KB10878&cat=SWITCH_PRODUCTS&actp=LIST
If you are missing some traffic or you need this traffic to be untagged please use this knob: no-tag
e.i
set forwarding-options analyzer PAN-Test output vlan 999 no-tag
If you are trying another variation, please check the for RSPAN limitations:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-mirroring-limitations-qfx-series.html
If you are using Wireshark as the analyzer software you might get the packets marked as ERSPAN which Wireshark reports them as fake ERSPAN.
> you can decode the following.
> -----------------------------------
> select menu:
> Edit -> preferences -> protocol -> ERSPAN
>
> Check:
> "FORCE to decade fake ERSPAN frame:".
> you can decode the following.
> -----------------------------------
> select menu:
> Edit -> preferences -> protcol -> ERSPAN
>
> Check:
> "FORCE to decade fake ERSPAN frame:".
Regards,
Lil Dexx JNCIE-ENT#863
If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/