Multiple Ports, Port-Mirror on Juniper MX80 going to a directly connected TAP port

The Setup:

  • You have an MX80 with three ISP connections out to the internet.
  • Ports ge-1/0/0, ge-1/0/1, ge-1/0/2, and ge-1/0/3 all need to have their traffic mirrored
    • Bandwidth for all ports combined is 300 Mbps…so it will not be a problem with utilization another Gig Port to dump all data to
  • Port ge-1/0/4 is the port on the MX80 connecting directly to the Security Appliance
  • You have a security appliance with a TAP port configured to sniff all data transiting the MX 80
    • NO IP Address is assigned
    • You can obtain the MAC address which in this case is: 00:1b:17:37:17:24
MX80 Port Mirror(1)

The Problem:

On Cisco NX-OS it’s very simple to accomplish:
monitor session 1 

  source interface ge-1/0/0,ge-1/0/1,ge-1/0/2,ge-1/0/3 both
  destination interface ge-1/0/4
But…how do we achieve it on a Juniper MX80 Running Code that is applicable in the year 2012/2013?

The Solution:

Step #1: Setup the Port Forwarding
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 1
set forwarding-options port-mirroring family inet output interface ge-1/0/4.0 next-hop 1.1.1.2
set forwarding-options port-mirroring family inet output no-filter-check

Note: See Step #4 in terms of why we choose the next hop to be 1.1.12

Step #2: Setup a firewall to mirror the port traffic
set firewall family inet filter port-mirror term 1 then port-mirror
set firewall family inet filter port-mirror term 1 then accept
set firewall family inet filter port-mirror term 2 then accept

NOTE: If you have a filter applied to the interface it’s important that you put in the “then port-mirror” command on that filter.

Step #3: Map The Ports you want to mirror with the firewall filter

set interfaces ge-1/0/0 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/0 unit 0 family inet filter output port-mirror

set interfaces ge-1/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/1 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter output port-mirror

Step #4: Create a Private IP address and subnet range and map it to the dump port and create an ARP entry with another address to map the TAP port
 
set interfaces ge-1/0/4 unit 0 family inet address 1.1.1.1/30 arp 1.1.1.2 mac 00:1b:17:37:17:24
 
Notice: We are creating a fake IP address on ge-1/0/3 and giving it one particular address then we are creating an ARP entry with a completely different address in the same subset to map the TAP port for.

Leave a Comment