Knowledge Center Search


 

How to do port mirroring on J-series and SRX branch devices

  [KB21833] Show KB Properties

  [KB21833] Hide KB Properties

Categories:
Knowledge Base ID: KB21833
Last Updated: 03 Oct 2011
Version: 3.0

Summary:
This article explains how port mirroring feature can be configured on an SRX device.

Problem or Goal:
Sometimes we may need to examine the traffic on an interface. This can be accomplished by taking a packet capture on the interface or mirroring the interface.

Cause:

Solution:
Step 1: Configure port mirroring in the forwarding options hierarchy:
[edit forwarding-options]

port-mirroring {
    input {
        rate 1;
        run-length 10;
    }
    family inet {
        output {
            interface ge-0/0/1.0 {
                next-hop 2.2.2.1;
            }
        }
    }
}

Step 2: Configure firewall filter to port mirror
[edit firewall]

filter port-mirror {
    term 1 {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            port-mirror;
            accept;
        }
    }
}
Step 3: Apply the filter on an interface that is to be mirrored

[edit interfaces]
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input port-mirror;
                    output port-mirror;
                }
                address 1.1.1.1/24;
            }
        }
    }

The following is a sample configuration for port mirroring.

In this example, a copy of the traffic that that comes into or goes out of the ge-0/0/0 interface can be sent to a monitoring system from ge-0/0/1 interface where it can be captured and analyzed.
system {
    root-authentication {
        encrypted-password "$1$9UsjE5u5$tb1.O6wtCosLwVBEWmsYP."; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input port-mirror;
                    output port-mirror;
                }
                address 1.1.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
             family inet {
                 address 2.2.2.2/24;
             }
        }
    }
}
forwarding-options {
    port-mirroring {
        input {
            rate 1;
            run-length 10;
        }
        family inet {
            output {
                interface ge-0/0/1.0 {
                    next-hop 2.2.2.1;
                }
            }
        }
   }
}
security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
}
firewall {
    filter port-mirror {
        term 1 {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                port-mirror;
                    accept;
            }
        }
    }
}
Note: Port mirroring with ethernet-switching is not supported.

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.