Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example: Configuring port mirroring on MX devices

0

1
Article ID: KB33488 KB Last Updated: 19 Aug 2020Version: 2.0 Summary:

This article explains how to configure port mirroring on MX devices with the help of an example.

For basic port configuration steps, refer also to Configuring Port Mirroring on M, T MX, and PTX Series Routers.

 

Symptoms:
 

Topology

 

  • In the above setup, SSH traffic is being sent from ixia port 10/11 to ixia port 10/12.

  • The spirent port 1/6 is the collector. 

  • Interface xe-0/0/1 is mirrored to ge-3/2/6 on the MX960 router.

 

Solution:
 

Example Configuration

labroot@MX480# show interfaces ge-5/0/6  
unit 0 {
    family inet {
        address 10.10.1.1/30;
    }
}


labroot@MX480# show interfaces xe-0/0/2    
unit 0 {
    family inet {
        address 10.10.3.1/30;
    }
}


labroot@jtac-MX960-r005# show interfaces xe-0/0/1 
unit 0 {
    family inet {
        filter {
            input ingress;
        }
        address 10.10.3.2/30;
    }
}


labroot@jtac-MX960-r005# show interfaces ge-3/2/4 
unit 0 {
    family inet {
        address 10.10.8.1/30;
    }
}


labroot@jtac-MX960-r005# show interfaces ge-3/2/6 
unit 0 {
    family inet {
        address 10.10.6.2/30;
    }
}


labroot@jtac-MX960-r005# show forwarding-options 
port-mirroring {
    instance {
        ingress {
            input {
                rate 1;
            }
            family inet {
                output {
                    interface ge-3/2/6.0 {
                        next-hop 10.10.6.1;
                    }
                    no-filter-check;
                }
            }
        }
    }
}


labroot@jtac-MX960-r005# show firewall     
family inet {
    filter ingress {
        term 1 {
            from {
                source-address {
                    10.10.1.2/32;
                }
                destination-address {
                    10.10.9.2/32;
                }
                destination-port ssh;
            }
            then {
                port-mirror-instance ingress;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

Verification

labroot@jtac-MX960-r005# run show forwarding-options port-mirroring   
Instance Name: ingress                       
  Instance Id: 4             
  Input parameters:
    Rate                  : 1
    Run-length            : 0
    Maximum-packet-length : 0
  Output parameters:
    Family              State     Destination          Next-hop
    inet                up        ge-3/2/6.0           10.10.6.1

Capturing packets on the spirent port will show the packets that are being input to xe-0/0/1.

 

Modification History:

  • 2020-08-19: Modified article and topology to make it compliant to standards; article checked for accuracy

  • 2020-07-10: Modified and removed outbound filter configuration in Solution section

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search