Você está na página 1de 8

How to do port mirroring on SRX high-end devices

SUMMARY:
This article explains how port mirroring feature can be configured on a high-end SRX device.
This feature is supported from Junos version 11.1.
PROBLEM OR GOAL:
Sometimes we may need to analyze the traffic on an interface. On high end SRX devices,
this can be accomplished by mirroring the interface.
CAUSE:
SOLUTION:
Step 1: Configure an instance of port-mirroring
[edit forwarding-options]
port-mirroring {
instance {
instance1 {
input {
rate 1;
run-length 10;
}
family any {
output {
interface ge-1/0/1.0;
}
}
}
}
}
Step 2: Apply the instance on the port that is to be mirrored.
[edit interfaces]
ge-1/0/0 {
port-mirror-instance instance1;
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
The following is a sample configuration. The traffic which comes into or goes out of ge-1/0/0
can be captured on ge-1/0/1.
version 11.1R1.14;
system {
root-authentication {
encrypted-password "$1$YSoyuz1q$8DyJ.tDFGvz/ZvGumx0Xb1"; ## SECRET-DATA
}

services {
ftp;
}
}
interfaces {
ge-1/0/0 {
port-mirror-instance instance1;
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
ge-1/0/1 {
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
}
forwarding-options {
port-mirroring {
instance {
instance1 {
input {
rate 1;
run-length 10;
}
family any {
output {
interface ge-1/0/1.0;
}
}
}
}
}
}
security {
policies {
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {

all;
}
}

Caveats and Limitations


1. This document is applicable only to SRX-1k/3k IOC and SRX5000 FIOC.

2. Both the mirrored port and mirror-to port must be physical ports

3. The device will insert a 4-byte VLAN tag (0x0001) in the egress mirrored packets.
o

Side-effect: when the switch exists between the MTP and packet analyzer, it
may drop the egress packets before forwarding to packet analyzer.

Work-around: direct the connect packet analyzer to MTP.

4. The mirror-to port:


o

Layer 3 needs a IP address configured.

Layer 2 needs a interface-mode. For example:


- The MTP should not participate in any protocol configuration.
- The MTP should not be the mirrored port at the same time.

5. The instance is a character string and does not have state or status to show.

6. The input arguments under forwarding-options comply with MX-series portmirroring config requirement; but will not take effect on SRX. However, the rate and
run-length are required to be filled in.

7. A reboot is necessary when the configuration is swapped between the L2 and L3


config.

How to do port mirroring on J-series and SRX branch


devices
SUMMARY:
This article explains how port mirroring feature can be configured on an SRX device.
PROBLEM OR GOAL:
Sometimes we may need to examine the traffic on an interface. This can be accomplished
by taking a packet capture on the interface or mirroring the interface.
CAUSE:
SOLUTION:
Step 1: Configure port mirroring in the forwarding options hierarchy:
[edit forwarding-options]
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface ge-0/0/1.0 {
next-hop 2.2.2.1;
}
}
}
}
Step 2: Configure firewall filter to port mirror
[edit firewall]
filter port-mirror {
term 1 {
from {
source-address {
0.0.0.0/0;
}
}
then {
port-mirror;
accept;
}
}
}
Step 3: Apply the filter on an interface that is to be mirrored
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {

filter {
input port-mirror;
output port-mirror;
}
address 1.1.1.1/24;
}

}
The following is a sample configuration for port mirroring.
In this example, a copy of the traffic that that comes into or goes out of the ge-0/0/0
interface can be sent to a monitoring system from ge-0/0/1 interface where it can be
captured and analyzed.
system {
root-authentication {
encrypted-password "$1$9UsjE5u5$tb1.O6wtCosLwVBEWmsYP."; ## SECRET-DATA
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 1.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 2.2.2.2/24;
}
}
}
}
forwarding-options {
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface ge-0/0/1.0 {
next-hop 2.2.2.1;
}
}
}
}
}
security {

policies {
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
all;
}
}
}

}
firewall {
filter port-mirror {
term 1 {
from {
source-address {
0.0.0.0/0;
}
}
then {
port-mirror;
accept;
}
}
}
}
Note: Port mirroring with ethernet-switching is not supported.
http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configurationstatement/session-mirroring-edit-services.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15504
http://blog.wirhabenstil.de/2014/02/15/juniper-srx-port-mirroring/
upgrade os by issu for srx
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17946
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947

Juniper SRX port mirroring

Port mirroring is a quite common task and not easily done on consumer equipment, but using a
Juniper SRX it easy REALLY easy. Lets have a look:
Assume
you want to mirror all the HTTP traffic on your LAN.
you want to send it to a device with IP 192.168.1.21 which is directly connected to the Juniper.

Step 1
Move the port (lets say fe-0/0/1) where your mirror equipment will connect to the Juniper from
switching to routing and give an IP:
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}

Step 2
Inside the interface configuration for the network you want to monitor (here just vlan.0), set a
filter (we will explain what it is in step 4):
vlan {
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 192.168.2.1/24;
}
}
}

Step 3
Enable port-mirroring in the forwarding options, telling them the next hop (=your sniffing
device):
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface fe-0/0/1.0 {
next-hop 192.168.1.21;
}
}
}
}

Step 4
Define what the filter port-mirror should do. As we want to mirror only HTTP traffic, we will
create 3 terms:
Term 1 will mirror all traffic coming from port 80 TCP
Term 2 will mirror all traffic going to port 80 TCP

Term 3 will accept all other traffic (not mirroring it). This is important! If you install a filter
which mirrors the traffic but contains no implicit ALLOW at the end, it will block all the traffic!
filter port-mirror {
term 1 {
from {
source-port http;
}
then {
port-mirror;
accept;
}
}
term 2 {
from {
destination-port http;
}
then {
port-mirror;
accept;
}
}
term 3 {
from {
source-address {
0.0.0.0/0;
}
}
then accept;
}
}