Duplicate
The following scenarios demonstrate how to configure port
mirroring using the traffic policy duplicate feature.
Port mirroring duplicates network packets and forwards copies
to monitoring destinations while preserving the original traffic flow.
traffic selectors can be used to filter which packets
should be duplicated based on protocol, addresses, or other criteria.
Test duplicate local traffic to an interface
Description
This scenario configures link-level port mirroring on DUT0’s (‘eth0’ interface). Both ingress (link-in) and egress (link-out) traffic policies are applied to duplicate all traffic to another physical interface.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy link-in DUP_POLICY set interfaces ethernet eth0 traffic policy link-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate device eth2
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.618 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.618/0.618/0.618/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.417 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.417/0.417/0.417/0.000 ms
Step 6: Modify the following configuration lines in DUT0 :
set service echo port 5050
Note
Start packet capture on DUT0 eth2 to monitor duplicated traffic
Step 7: Run command monitor test connection client 10.0.0.1 5050 udp at DUT1.
Note
Now it is important to generate some traffic from DUT1 to DUT0 echo service.
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 15:02:04.392727 IP6 fe80::dcad:beff:feef:6c02 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 15:02:05.275482 IP 10.0.0.2.48884 > 10.0.0.1.5050: UDP, length 17 15:02:05.276946 IP 10.0.0.1.5050 > 10.0.0.2.48884: UDP, length 17 15:02:06.276640 IP 10.0.0.2.48884 > 10.0.0.1.5050: UDP, length 17 15:02:06.277872 IP 10.0.0.1.5050 > 10.0.0.2.48884: UDP, length 17 15:02:07.278373 IP 10.0.0.2.48884 > 10.0.0.1.5050: UDP, length 17 15:02:07.279520 IP 10.0.0.1.5050 > 10.0.0.2.48884: UDP, length 17 15:02:08.280017 IP 10.0.0.2.48884 > 10.0.0.1.5050: UDP, length 17 15:02:08.281064 IP 10.0.0.1.5050 > 10.0.0.2.48884: UDP, length 17 15:02:08.744719 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 15:02:08.744730 ARP, Request who-has 10.0.0.2 tell 10.0.0.1, length 28 15:02:08.744957 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 15:02:08.744973 ARP, Reply 10.0.0.2 is-at de:ad:be:ef:6c:10, length 28 15:02:09.282258 IP 10.0.0.2.48884 > 10.0.0.1.5050: UDP, length 17 15:02:09.284649 IP 10.0.0.1.5050 > 10.0.0.2.48884: UDP, length 17 ^C 15 packets captured 15 packets received by filter 0 packets dropped by kernel admin@osdx$
Test duplicate local traffic to a remote IP
Description
This scenario configures remote port mirroring on DUT0 (‘eth0’ interface). Local-in and local-out traffic policies duplicate traffic to a remote IP address. A traffic selector is configured to filter and duplicate only UDP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-in DUP_POLICY set interfaces ethernet eth0 traffic policy local-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate remote 20.0.0.2 set traffic policy DUP_POLICY rule 1 selector UDP_SEL set traffic selector UDP_SEL rule 1 protocol udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.602 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.602/0.602/0.602/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.386 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Note
Start packet capture on DUT2 eth2 to monitor duplicated traffic
Step 6: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 tcp admin@DUT1$ monitor test connection client 10.0.0.1 5050 tcp
Step 7: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.1 5050 udp
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 15:02:18.551616 IP6 :: > ff02::1:ffef:6c22: ICMP6, neighbor solicitation, who has fe80::dcad:beff:feef:6c22, length 32 15:02:19.031622 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:19.575647 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:19.587613 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 15:02:19.863625 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:20.247630 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 15:02:23.055531 IP 10.0.0.2.55150 > 10.0.0.1.5050: UDP, length 20 15:02:23.082269 IP 10.0.0.1.5050 > 10.0.0.2.55150: UDP, length 20 15:02:23.109626 IP 10.0.0.2.55150 > 10.0.0.1.5050: UDP, length 20 15:02:23.138665 IP 10.0.0.1.5050 > 10.0.0.2.55150: UDP, length 20 15:02:23.176792 IP 10.0.0.2.55150 > 10.0.0.1.5050: UDP, length 20 15:02:23.206846 IP 10.0.0.1.5050 > 10.0.0.2.55150: UDP, length 20 15:02:23.235319 IP 10.0.0.2.55150 > 10.0.0.1.5050: UDP, length 20 15:02:23.277498 IP 10.0.0.1.5050 > 10.0.0.2.55150: UDP, length 20 15:02:23.304201 IP 10.0.0.2.55150 > 10.0.0.1.5050: UDP, length 20 15:02:23.334968 IP 10.0.0.1.5050 > 10.0.0.2.55150: UDP, length 20 15:02:23.461069 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 15:02:23.461090 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel admin@osdx$
Note
Note that only UDP traffic is captured because the traffic selector is configured to filter UDP packets exclusively.
Test duplicate local traffic to a remote IP with VRF
Description
This scenario configures remote port mirroring on DUT0 (‘eth0’ interface). Local-in and local-out traffic policies duplicate traffic to a remote IP address. The interface is configured within a VRF, which must be specified as the output VRF. A traffic selector is configured to filter and duplicate only UDP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-in DUP_POLICY set interfaces ethernet eth0 traffic policy local-out DUP_POLICY set interfaces ethernet eth2 address 20.0.0.1/24 set interfaces ethernet eth2 vrf VRF1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf VRF1 set traffic policy DUP_POLICY rule 1 action accept set traffic policy DUP_POLICY rule 1 duplicate remote 20.0.0.2 local-vrf VRF1 set traffic policy DUP_POLICY rule 1 selector UDP_SEL set traffic selector UDP_SEL rule 1 protocol udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 20.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.603 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.603/0.603/0.603/0.000 ms
Step 5: Ping IP address 20.0.0.1 from DUT2:
admin@DUT2$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.397 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.397/0.397/0.397/0.000 ms
Note
Start packet capture on DUT2 eth2 to monitor duplicated traffic
Step 6: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 tcp admin@DUT1$ monitor test connection client 10.0.0.1 5050 tcp
Step 7: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.1 5050 udp
Note
Stop packet capture. Expected output:
Show output
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 15:02:32.129400 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:32.289420 IP6 :: > ff02::1:ffef:6c22: ICMP6, neighbor solicitation, who has fe80::dcad:beff:feef:6c22, length 32 15:02:33.313447 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:33.325395 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 15:02:33.633409 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 15:02:33.825418 IP6 fe80::dcad:beff:feef:6c22 > ff02::16: HBH ICMP6, multicast listener report v2, 4 group record(s), length 88 15:02:36.426568 IP 10.0.0.2.56759 > 10.0.0.1.5050: UDP, length 20 15:02:36.464121 IP 10.0.0.1.5050 > 10.0.0.2.56759: UDP, length 20 15:02:36.500055 IP 10.0.0.2.56759 > 10.0.0.1.5050: UDP, length 20 15:02:36.527657 IP 10.0.0.1.5050 > 10.0.0.2.56759: UDP, length 20 15:02:36.559097 IP 10.0.0.2.56759 > 10.0.0.1.5050: UDP, length 20 15:02:36.597455 IP 10.0.0.1.5050 > 10.0.0.2.56759: UDP, length 20 15:02:36.633491 IP 10.0.0.2.56759 > 10.0.0.1.5050: UDP, length 20 15:02:36.660657 IP 10.0.0.1.5050 > 10.0.0.2.56759: UDP, length 20 15:02:36.699110 IP 10.0.0.2.56759 > 10.0.0.1.5050: UDP, length 20 15:02:36.741503 IP 10.0.0.1.5050 > 10.0.0.2.56759: UDP, length 20 15:02:36.814748 ARP, Request who-has 20.0.0.2 tell 20.0.0.1, length 28 15:02:36.814761 ARP, Reply 20.0.0.2 is-at de:ad:be:ef:6c:22, length 28 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel admin@osdx$
Note
Note that only UDP traffic is captured because the traffic selector is configured to filter UDP packets exclusively.