Duplicate
The following scenarios demonstrate how to configure port
mirroring using the traffic policy duplicate feature.
Port mirroring duplicates network packets and forwards copies
to monitoring destinations while preserving the original traffic flow.
traffic selectors can be used to filter which packets
should be duplicated based on protocol, addresses, or other criteria.
Test duplicate local traffic to an interface
Description
This scenario configures link-level port mirroring on DUT0’s (‘eth0’ interface). Both ingress (link-in) and egress (link-out) traffic policies are applied to duplicate all traffic to another physical interface.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy link-in DUP_POLICY set interfaces ethernet eth0 traffic policy link-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate device eth2
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.645 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.645/0.645/0.645/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.410 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.410/0.410/0.410/0.000 ms
Step 6: Modify the following configuration lines in DUT0 :
set service echo port 5050
Note
Start packet capture on DUT0 eth2 to monitor duplicated traffic
Step 7: Run command monitor test connection client 10.0.0.1 5050 udp at DUT1.
Note
Now it is important to generate some traffic from DUT1 to DUT0 echo service.
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 13:29:11.323299 IP6 fe80::dcad:beff:feef:6c02 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:11.866579 IP 10.0.0.2.53663 > 10.0.0.1.5050: UDP, length 17 13:29:11.867827 IP 10.0.0.1.5050 > 10.0.0.2.53663: UDP, length 17 13:29:12.868327 IP 10.0.0.2.53663 > 10.0.0.1.5050: UDP, length 17 13:29:12.869528 IP 10.0.0.1.5050 > 10.0.0.2.53663: UDP, length 17 13:29:13.869891 IP 10.0.0.2.53663 > 10.0.0.1.5050: UDP, length 17 13:29:13.870890 IP 10.0.0.1.5050 > 10.0.0.2.53663: UDP, length 17 13:29:14.871314 IP 10.0.0.2.53663 > 10.0.0.1.5050: UDP, length 17 13:29:14.872460 IP 10.0.0.1.5050 > 10.0.0.2.53663: UDP, length 17 13:29:15.355275 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 13:29:15.355283 ARP, Request who-has 10.0.0.2 tell 10.0.0.1, length 28 13:29:15.355514 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 13:29:15.355518 ARP, Reply 10.0.0.2 is-at de:ad:be:ef:6c:10, length 28 13:29:15.873214 IP 10.0.0.2.53663 > 10.0.0.1.5050: UDP, length 17 13:29:15.874385 IP 10.0.0.1.5050 > 10.0.0.2.53663: UDP, length 17 ^C 15 packets captured 15 packets received by filter 0 packets dropped by kernel admin@osdx$
Test duplicate local traffic to a remote IP
Description
This scenario configures remote port mirroring on DUT0 (‘eth0’ interface). Local-in and local-out traffic policies duplicate traffic to a remote IP address. A traffic selector is configured to filter and duplicate only UDP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-in DUP_POLICY set interfaces ethernet eth0 traffic policy local-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate remote 20.0.0.2 set traffic policy DUP_POLICY rule 1 selector UDP_SEL set traffic selector UDP_SEL rule 1 protocol udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.489 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.489/0.489/0.489/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.576 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.576/0.576/0.576/0.000 ms
Note
Start packet capture on DUT2 eth2 to monitor duplicated traffic
Step 6: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 tcp admin@DUT1$ monitor test connection client 10.0.0.1 5050 tcp
Step 7: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.1 5050 udp
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 13:29:25.864599 IP6 :: > ff02::1:ffef:6c22: ICMP6, neighbor solicitation, who has fe80::dcad:beff:feef:6c22, length 32 13:29:26.088593 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:26.888744 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:26.900573 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 13:29:27.528580 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:27.784601 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 13:29:30.215669 IP 10.0.0.2.59811 > 10.0.0.1.5050: UDP, length 20 13:29:30.252049 IP 10.0.0.1.5050 > 10.0.0.2.59811: UDP, length 20 13:29:30.277820 IP 10.0.0.2.59811 > 10.0.0.1.5050: UDP, length 20 13:29:30.315198 IP 10.0.0.1.5050 > 10.0.0.2.59811: UDP, length 20 13:29:30.344033 IP 10.0.0.2.59811 > 10.0.0.1.5050: UDP, length 20 13:29:30.375750 IP 10.0.0.1.5050 > 10.0.0.2.59811: UDP, length 20 13:29:30.413417 IP 10.0.0.2.59811 > 10.0.0.1.5050: UDP, length 20 13:29:30.438275 IP 10.0.0.1.5050 > 10.0.0.2.59811: UDP, length 20 13:29:30.470724 IP 10.0.0.2.59811 > 10.0.0.1.5050: UDP, length 20 13:29:30.495921 IP 10.0.0.1.5050 > 10.0.0.2.59811: UDP, length 20 13:29:30.543126 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 13:29:30.543143 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel admin@osdx$
Note
Note that only UDP traffic is captured because the traffic selector is configured to filter UDP packets exclusively.
Test duplicate local traffic to a remote IP with VRF
Description
This scenario configures remote port mirroring on DUT0 (‘eth0’ interface). Local-in and local-out traffic policies duplicate traffic to a remote IP address. The interface is configured within a VRF, which must be specified as the output VRF. A traffic selector is configured to filter and duplicate only UDP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-in DUP_POLICY set interfaces ethernet eth0 traffic policy local-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set interfaces ethernet eth2 vrf VRF1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf VRF1 set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate remote 20.0.0.2 local-vrf VRF1 set traffic policy DUP_POLICY rule 1 selector UDP_SEL set traffic selector UDP_SEL rule 1 protocol udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.694 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.694/0.694/0.694/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.425 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.425/0.425/0.425/0.000 ms
Note
Start packet capture on DUT2 eth2 to monitor duplicated traffic
Step 6: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 tcp admin@DUT1$ monitor test connection client 10.0.0.1 5050 tcp
Step 7: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.1 5050 udp
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 13:29:38.962017 IP6 :: > ff02::1:ffef:6c22: ICMP6, neighbor solicitation, who has fe80::dcad:beff:feef:6c22, length 32 13:29:39.090031 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:39.986046 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:39.997997 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 13:29:40.946014 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 13:29:41.010012 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 13:29:43.211392 IP 10.0.0.2.43574 > 10.0.0.1.5050: UDP, length 20 13:29:43.238105 IP 10.0.0.1.5050 > 10.0.0.2.43574: UDP, length 20 13:29:43.263429 IP 10.0.0.2.43574 > 10.0.0.1.5050: UDP, length 20 13:29:43.292684 IP 10.0.0.1.5050 > 10.0.0.2.43574: UDP, length 20 13:29:43.320589 IP 10.0.0.2.43574 > 10.0.0.1.5050: UDP, length 20 13:29:43.348361 IP 10.0.0.1.5050 > 10.0.0.2.43574: UDP, length 20 13:29:43.391715 IP 10.0.0.2.43574 > 10.0.0.1.5050: UDP, length 20 13:29:43.427380 IP 10.0.0.1.5050 > 10.0.0.2.43574: UDP, length 20 13:29:43.468455 IP 10.0.0.2.43574 > 10.0.0.1.5050: UDP, length 20 13:29:43.499132 IP 10.0.0.1.5050 > 10.0.0.2.43574: UDP, length 20 13:29:43.544546 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 13:29:43.544563 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel admin@osdx$
Note
Note that only UDP traffic is captured because the traffic selector is configured to filter UDP packets exclusively.