- You have an MX80 with three ISP connections out to the internet.
- Ports ge-1/0/0, ge-1/0/1, ge-1/0/2, and ge-1/0/3 all need to have their traffic mirrored
- Bandwidth for all ports combined is 300 Mbps…so it will not be a problem with utilization another Gig Port to dump all data to
- Port ge-1/0/4 is the port on the MX80 connecting directly to the Security Appliance
- You have a security appliance with a TAP port configured to sniff all data transiting the MX 80
- NO IP Address is assigned
- You can obtain the MAC address which in this case is: 00:1b:17:37:17:24
On Cisco NX-OS it’s very simple to accomplish:
monitor session 1
set forwarding-options port-mirroring input run-length 1
set forwarding-options port-mirroring family inet output interface ge-1/0/4.0 next-hop 188.8.131.52
set forwarding-options port-mirroring family inet output no-filter-check
Note: See Step #4 in terms of why we choose the next hop to be 1.1.12
Step #2: Setup a firewall to mirror the port traffic
set firewall family inet filter port-mirror term 1 then port-mirror
set firewall family inet filter port-mirror term 1 then accept
set firewall family inet filter port-mirror term 2 then accept
Step #3: Map The Ports you want to mirror with the firewall filter
set interfaces ge-1/0/0 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/1 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter output port-mirror
Having utilized routing-instances in the MX series to segregate management functions/protocols away from insecure internet sources I ran into an instance that’s quite unique to the SRX platform only.
Normally for management items on an MX series one would create a separate routing instance away from the routing instance (see image below). This allows for segregation and reduces potential security holes in your design.
Design Main Points:
Create a MGMT routing-instance and import/export ribs between the the main and mgmt inet.0 routing tables, NAT and re-route certain management protocols/functions (NTP, netconf, syslog, snmp, etc…) from the main routing table (inet.0) to mgmt.inet.0.
Note: This assumes that your company is very strict on opening ports and doing NAT device cross talk between your outside region. Valid in corporations with standards…not so much within smaller companies that don’t care for security of course.
While most items can be re-routed and transferred over, one particular item is not doable on the SRX systems themselves.
If you want to use an internal ntp client to maintain and manage time for all of your server equipment SRX series routers simply cannot route ntp over any instance but the main one (IE. inet.0).
So why doesn’t it work on the SRX Series?
It’s the way the SRX bootup procedures are setup. It will always use the main routing table (inet.0).
The little things and difference are usually annoying so hopefully somebody will find this article in case they have similar designs and requirements.