Knowledge Search


×
 

[MX] Configuration Example - Port mirroring IPSec traffic on MPC before and after encryption

  [KB34911] Show Article Properties


Summary:

This article provides an example for configuring port-mirroring on MX to capture encrypted and unencrypted packets traversing through services card MS MPC or MS-MIC.

Solution:
port-mirroring {
    instance {
        port-mirror {
            input {
                rate 1;
                run-length 1;
            }
            family inet {
                output {
                    interface xe-0/3/0.0 {  <-- interface pointing to the collector
                        next-hop 20.1.1.2;  <-- collectors next-hop interface address
                    }
                }
            }
        }
    }
}

Once the instance is configured map it to FPC

labroot@crtj-sp1x-2002> show configuration chassis
fpc 0 {   <-- fpc number indicates interested traffic that needs to be mirrored is received on ms-0/0/0 interface.
    pic 2 {
        tunnel-services {
            bandwidth 10g;
        }
    }
    port-mirror-instance port-mirror; 
}

Note: if you are using an MX80 or MX104, the instance must always be mapped to FPC0.

Once the instance is mapped, configure firewall filter for port-mirroring and then apply the filter to ms interface.

labroot@crtj-sp1x-2002> show configuration firewall
family inet {
    filter port-mirror-filter {
        term 1 {
            then {
                port-mirror-instance port-mirror;
                accept;
            }
        }
    }
}

If the packet needs to be captured unencrypted, then apply the filter to inside interface of ms-0/0/0

labroot@crtj-sp1x-2002> show configuration interfaces ms-0/0/0 unit 4690
family inet {
    filter {
        input port-mirror-filter;
        output port-mirror-filter;
    }
    address 169.254.197.100/31;
}
service-domain inside;

If the packet needs to be captured encrypted, then apply the filter to outside interface of ms-0/0/0

labroot@crtj-sp1x-2002> show configuration interfaces ms-0/0/0 unit 14690   
family inet {
    filter {
        input port-mirror-filter;
        output port-mirror-filter;
    }
}
service-domain outside;

Note the configuration used above is for next-hop-service style as opposed to interface style services set of IPSEC VPN.

You can use wireshark capture to open the captured file. For the capture performed on the inside interface, you will observe unencrypted traffic sent from physical or gr (in case of gre over ipsec) interface with original source and destination address. For the capture performed on the outside interface, you will observe traffic encrypted by ipsec tunnel using source and destination as local and remote gateway respectively. 

labroot@crtj-sp1x-2002> show configuration services service-set SS-IPSEC-CRTJ-SH90-0012
next-hop-service {
    inside-service-interface ms-0/0/0.4690;
    outside-service-interface ms-0/0/0.14690;
}
ipsec-vpn-options {
    local-gateway 1.1.1.2;  <--  loopback used as local-gateway
}
ipsec-vpn-rules IPSEC-RULE-CRTJ-SH90-0012;

labroot@crtj-sp1x-2002> show configuration services ipsec-vpn rule IPSEC-RULE-CRTJ-SH90-0012
term 1 {
    then {
        remote-gateway 1.1.1.1;  <-- loopback on remote device to which the tunnel terminates
        dynamic {
            ike-policy IKE-POLICY;
            ipsec-policy IPSEC-POLICY;
        }
        no-anti-replay;
    }
}
match-direction input;

 

Related Links: