This article explains how port mirroring feature can be configured on an SRX device.
Sometimes we may need to examine the traffic on an interface. This can be accomplished by taking a packet capture on the interface or mirroring the interface.
Step 1: Configure port mirroring in the forwarding options hierarchy:
[edit forwarding-options]
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface ge-0/0/1.0 {
next-hop 2.2.2.1;
}
}
}
}
Step 2: Configure firewall filter to port mirror
[edit firewall]
filter port-mirror {
term 1 {
from {
source-address {
0.0.0.0/0;
}
}
then {
port-mirror;
accept;
}
}
}
Step 3: Apply the filter on an interface that is to be mirrored
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 1.1.1.1/24;
}
}
}
The following is a sample configuration for port mirroring.
In this example, a copy of the traffic that that comes into or goes out of the ge-0/0/0 interface can be sent to a monitoring system from ge-0/0/1 interface where it can be captured and analyzed.
system {
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 1.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 2.2.2.2/24;
}
}
}
}
forwarding-options {
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface ge-0/0/1.0 {
next-hop 2.2.2.1;
}
}
}
}
}
security {
policies {
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}
}
firewall {
filter port-mirror {
term 1 {
from {
source-address {
0.0.0.0/0;
}
}
then {
port-mirror;
accept;
}
}
}
}
Note: Port mirroring with ethernet-switching is not supported.