Routing
Reply
Contributor
boston1630
Posts: 19
Registered: ‎12-14-2009
0

Port Mirroring in both directions on an MX80?

All,

 

I've setup a one-way port mirror on all input traffic on an MX80 1Gb port. I can't seem to setup an input and output port mirror on the same port.  JTAC recommended the following link: 


http://www.juniper.net/techpubs/en_US/junos10.4/topics/usage-guidelines/services-configuring-port-mi...

I changed it to the following:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/usage-guidelines/services-configuring-port-mi...

The site says that "You do not need to configure firewall filters on both inbound and outbound interfaces, but at least one is necessary on the inbound interface to provide the copies of the packets to send to an analyzer." To me this sounds like it is still possible to mirror in both directions.

 

I'm currently running 11.2R5 on an MX80. I have one interface in inet.0 and another in a test VRF. I have OSPF, BFD, and PIM running across these interfaces. I am neighbor'ed up and see all of the input traffic port mirrored destined for the ge-1/1/0 interface. I can not see any of the output traffic from ge-1/1/0 to ge-1/1/7.

Thanks for any help that you can offer!

-Mike

Here's my code:

mike@PW1# show forwarding-options   

port-mirroring {
    input {
        rate 1;
        run-length 1;
    }
    family inet {
        output {
            interface ge-1/1/9.0 {
                next-hop 10.0.0.2;
            }
            no-filter-check;
        }
    }
}

mike@PW1# show firewall
filter pm-test {
    term first {
        then {
            count adding-up;
            port-mirror;

    next term;
        }
    }
    term second {
        then accept;
    }
}
filter output-pm-test {
    term first {
        from {
            protocol pim;
        }
        then {
            count adding-up-pim;
            port-mirror;
        }
    }                                  
    term second {
        then accept;
    }
}

mike@PW1# show interfaces
ge-1/1/0 {
    unit 0 {
        family inet {
            filter {
                input pm-test;
                output output-pm-test;
            }
            address 10.1.1.1/30;
        }
    }
}
ge-1/1/7 {
    unit 0 {
        family inet {                  
            address 10.1.1.2/30;
        }
    }
}
ge-1/1/9 {
    unit 0 {
        family inet {
            address 10.0.0.1/30 {
                arp 10.0.0.2 mac f0:de:f1:da:ee:06;
            }
        }
    }
}

Contributor
boston1630
Posts: 19
Registered: ‎12-14-2009
0

Re: Port Mirroring in both directions on an MX80?

Here's the solution to my question above. A little more detail on this issue was published at the following location:

 

http://networkarch.blogspot.com/2012/08/port-mirroring-on-juniper-mx.html

 

1. Add the following statement under the [forwarding-options] stanza:

 

port-mirroring {

    input {

        rate 1;

        run-length 1;

    }

    family inet {

        output {

            interface ge-1/1/4.0 {

                next-hop 10.0.0.2;

            }

            no-filter-check;

        }

    }

}

 

2. Create an input and an output firewall filter for port mirroring:

 

filter output-pm-test {

    term 1 {

        then {

            count output-pm;

            port-mirror;

            accept;

        }                               

    }

}

filter input-pm-test {

    term 1 {

        then {

            count input-pm;

            port-mirror;

            accept;

        }

    }

}

 

3. Apply the firewall filter to an existing interface:

 

family inet {                   

            filter {

                input input-pm-test;

                output output-pm-test;

            }

 

4. Configure the next-hop interface referenced in the port-mirroring configuration in step #1:

 

description "Test port-mirroring";

unit 0 {

    family inet {

        address 10.0.0.1/30 {

            arp 10.0.0.2 mac 12:34:56:12:34:56;

        }

    }

}

 

5. Commit these above changes.

 

6. Run the following command:

 

monitor interface ge-1/1/4

 

You should see incrementing output traffic as long as the interface is up: 

 

Output bytes:                 22526615 (20856 bps)

 

I tested this by plugging my laptop into ge-1/1/4 and allowing Wireshark to put my NIC into promiscuous mode.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.