Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Configuration Example - Port mirroring IPSec traffic on MPC before and after encryption

0

0

Article ID: KB34911 KB Last Updated: 11 Sep 2019Version: 1.0
Summary:

This article provides an example for configuring port-mirroring on MX to capture encrypted and unencrypted packets traversing through services card MS MPC or MS-MIC.

Solution:
port-mirroring {
    instance {
        port-mirror {
            input {
                rate 1;
                run-length 1;
            }
            family inet {
                output {
                    interface xe-0/3/0.0 {  <-- interface pointing to the collector
                        next-hop 20.1.1.2;  <-- collectors next-hop interface address
                    }
                }
            }
        }
    }
}

Once the instance is configured map it to FPC

labroot@crtj-sp1x-2002> show configuration chassis
fpc 0 {   <-- fpc number indicates interested traffic that needs to be mirrored is received on ms-0/0/0 interface.
    pic 2 {
        tunnel-services {
            bandwidth 10g;
        }
    }
    port-mirror-instance port-mirror; 
}

Note: if you are using an MX80 or MX104, the instance must always be mapped to FPC0.

Once the instance is mapped, configure firewall filter for port-mirroring and then apply the filter to ms interface.

labroot@crtj-sp1x-2002> show configuration firewall
family inet {
    filter port-mirror-filter {
        term 1 {
            then {
                port-mirror-instance port-mirror;
                accept;
            }
        }
    }
}

If the packet needs to be captured unencrypted, then apply the filter to inside interface of ms-0/0/0

labroot@crtj-sp1x-2002> show configuration interfaces ms-0/0/0 unit 4690
family inet {
    filter {
        input port-mirror-filter;
        output port-mirror-filter;
    }
    address 169.254.197.100/31;
}
service-domain inside;

If the packet needs to be captured encrypted, then apply the filter to outside interface of ms-0/0/0

labroot@crtj-sp1x-2002> show configuration interfaces ms-0/0/0 unit 14690   
family inet {
    filter {
        input port-mirror-filter;
        output port-mirror-filter;
    }
}
service-domain outside;

Note the configuration used above is for next-hop-service style as opposed to interface style services set of IPSEC VPN.

You can use wireshark capture to open the captured file. For the capture performed on the inside interface, you will observe unencrypted traffic sent from physical or gr (in case of gre over ipsec) interface with original source and destination address. For the capture performed on the outside interface, you will observe traffic encrypted by ipsec tunnel using source and destination as local and remote gateway respectively. 

labroot@crtj-sp1x-2002> show configuration services service-set SS-IPSEC-CRTJ-SH90-0012
next-hop-service {
    inside-service-interface ms-0/0/0.4690;
    outside-service-interface ms-0/0/0.14690;
}
ipsec-vpn-options {
    local-gateway 1.1.1.2;  <--  loopback used as local-gateway
}
ipsec-vpn-rules IPSEC-RULE-CRTJ-SH90-0012;

labroot@crtj-sp1x-2002> show configuration services ipsec-vpn rule IPSEC-RULE-CRTJ-SH90-0012
term 1 {
    then {
        remote-gateway 1.1.1.1;  <-- loopback on remote device to which the tunnel terminates
        dynamic {
            ike-policy IKE-POLICY;
            ipsec-policy IPSEC-POLICY;
        }
        no-anti-replay;
    }
}
match-direction input;

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search