Feb 152014
Port mirroring is a quite common task and not easily done on consumer equipment, but using a Juniper SRX it easy REALLY easy. Let’s have a look:
Assume
– you want to mirror all the HTTP traffic on your LAN.
– you want to send it to a device with IP 192.168.1.21 which is directly connected to the Juniper.
Step 1
Move the port (lets say fe-0/0/1) where your mirror equipment will connect to the Juniper from switching to routing and give an IP (within the subnet of the sniffing device):
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}Step 2
Inside the interface configuration for the network you want to monitor (here just vlan.0 and my current IP for it is .2.1), set a filter (we will explain what it is in step 4):
vlan {
unit 0 {
family inet {
filter {
input port-mirror;
output port-mirror;
}
address 192.168.2.1/24;
}
}
}Step 3
Enable port-mirroring in the forwarding options, telling them the next hop (=your sniffing device):
port-mirroring {
input {
rate 1;
run-length 10;
}
family inet {
output {
interface fe-0/0/1.0 {
next-hop 192.168.1.21;
}
}
}
}Step 4
Define what the filter “port-mirror” should do. As we want to mirror only HTTP traffic, we will create 3 terms:
– Term 1 will mirror all traffic coming from port 80 TCP
– Term 2 will mirror all traffic going to port 80 TCP
– Term 3 will accept all other traffic (=not mirroring it). This is tricky/important! If you install a filter which mirrors the traffic but contains no implicit ALLOW at the end, it will block all the traffic!
filter port-mirror {
term 1 {
from {
source-port http;
}
then {
port-mirror;
accept;
}
}
term 2 {
from {
destination-port http;
}
then {
port-mirror;
accept;
}
}
term 3 {
from {
source-address {
0.0.0.0/0;
}
}
then accept;
}
}This is the Juniper KB if you feel my explanation isn’t good enough ;)
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21833&smlogin=true
Thanks for this!