RtoDto.net
Network/Security/Programming

Port mirroring in EX switches and SRX

rtoodtoo srx, switching October 14, 2012

If you want to mirror traffic entering and exiting a specific port (e.g ge-0/0/11.0) you can use the following configuration to mirror the traffic to any other port (e.g ge-0/0/10.0)

Here is the configuration I wrote in an ex2200 switch.

Port mirroring in EX switches

[edit ethernet-switching-options analyzer port-mirror]
root@ex2200-1# show
input {
    ingress {
        interface ge-0/0/11.0;
    }
    egress {
        interface ge-0/0/11.0;
    }
}
output {
    interface {
        ge-0/0/10.0;
    }
}

[edit ethernet-switching-options analyzer port-mirror]
root@ex2200-1# show | display set
set ethernet-switching-options analyzer port-mirror input ingress interface ge-0/0/11.0
set ethernet-switching-options analyzer port-mirror input egress interface ge-0/0/11.0
set ethernet-switching-options analyzer port-mirror output interface ge-0/0/10.0

Port mirroring is pretty simple in EX switches compared to SRX series. You just specify input interface and direction of the traffic (ingress,egress) then the output interface which will receive the mirrored traffic.

Port Mirroring in SRX firewalls

By its nature, SRX is more complex and it seems port mirroring isn’t supported in switching interfaces either. Below are the steps that I took to mirror my fe-0/0/0 traffic to a device having IP 172.16.1.2 connected to fe-0/0/6.0 interface. In a nutshell;

Source interface: fe-0/0/0.0
Destination interface: fe-0/0/6.0 (with ip 172.16.1.2)

1) Configure port-mirroring options

[edit forwarding-options port-mirroring]
root@srx100-1# show
input {
    rate 1;
    run-length 12;
}
family inet {
    output {
        interface fe-0/0/6.0 {
            next-hop 172.16.1.2;
        }
    }
}

2) Configure firewall filter (specify the traffic you are interested)

[edit firewall]
root@srx100-1# show
filter port-mirror {
    term all-traf {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            port-mirror;
            accept;
        }
    }
}

3) Apply the filter step 2 to the interface (from which you want to mirror traffic)

[edit interfaces fe-0/0/0]
root@srx100-1# show
unit 0 {
    family inet {
        filter {
            input port-mirror;
            output port-mirror;
        }
        address 192.168.2.100/24;
    }
}

fe-0/0/6.0 configuration (destination interface)

root@srx100-1# show interfaces fe-0/0/6.0
family inet {
    address 172.16.1.1/24;
}

Warning: Be careful and don’t leave the port mirroring on after you finish your work.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

6 thoughts on “Port mirroring in EX switches and SRX”

  4. Thank for posting this. This works on SRX indeed, and I didn’t see other sites explaining how to do this on an SRX!

    Reply

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading