Port mirroring in EX switches and SRX
If you want to mirror traffic entering and exiting a specific port (e.g ge-0/0/11.0) you can use the following configuration to mirror the traffic to any other port (e.g ge-0/0/10.0)
Here is the configuration I wrote in an ex2200 switch.
Port mirroring in EX switches
[edit ethernet-switching-options analyzer port-mirror]
root@ex2200-1# show
input {
ingress {
interface ge-0/0/11.0;
}
egress {
interface ge-0/0/11.0;
}
}
output {
interface {
ge-0/0/10.0;
}
}
[edit ethernet-switching-options analyzer port-mirror]
root@ex2200-1# show | display set
set ethernet-switching-options analyzer port-mirror input ingress interface ge-0/0/11.0
set ethernet-switching-options analyzer port-mirror input egress interface ge-0/0/11.0
set ethernet-switching-options analyzer port-mirror output interface ge-0/0/10.0
Port mirroring is pretty simple in EX switches compared to SRX series. You just specify input interface and direction of the traffic (ingress,egress) then the output interface which will receive the mirrored traffic.
Port Mirroring in SRX firewalls
By its nature, SRX is more complex and it seems port mirroring isn’t supported in switching interfaces either. Below are the steps that I took to mirror my fe-0/0/0 traffic to a device having IP 172.16.1.2 connected to fe-0/0/6.0 interface. In a nutshell;
Source interface: fe-0/0/0.0
Destination interface: fe-0/0/6.0 (with ip 172.16.1.2)
1) Configure port-mirroring options
[edit forwarding-options port-mirroring]
root@srx100-1# show
input {
rate 1;
run-length 12;
}
family inet {
output {
interface fe-0/0/6.0 {
next-hop 172.16.1.2;
}
}
}
2) Configure firewall filter (specify the traffic you are interested)
[edit firewall]
root@srx100-1# show
filter port-mirror {
term all-traf {
from {
source-address {
0.0.0.0/0;
}
}
then {
port-mirror;
accept;
}
}
}
3) Apply the filter step 2 to the interface (from which you want to mirror traffic)
[edit interfaces fe-0/0/0]
root@srx100-1# show
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 192.168.2.100/24;
}
}
fe-0/0/6.0 configuration (destination interface)
root@srx100-1# show interfaces fe-0/0/6.0
family inet {
address 172.16.1.1/24;
}
Warning: Be careful and don’t leave the port mirroring on after you finish your work.
Hey, this page is really useful. great
Hallo,is it working if I configure port mirroring in “reth” logical interface in SRX cluster?
Thanks
Before there was a limitation but apparently now onwards 12.1X45, you can take capture on reth on branch srx devices. Check this https://www.juniper.net/documentation/en_US/junos/topics/concept/security-chassis-cluster-limitations.html
Thank for posting this. This works on SRX indeed, and I didn’t see other sites explaining how to do this on an SRX!
You’re welcome.
you’re welcome Francois.