Juniper MX Port Numbering

Unfortunately the juniper port numbering scheme can cause a lot of confusion for people not familiar with the layout. This can get quite confusing when explaining to remote hands on site.

I made a quick reference which I use for some of our MX480s but the principle is the same on other hardware. This is handy for sending to third parties with a port highlighted to ensure they don’t go pulling the wrong cables. :)

juniper-ports

SPAN Port on Juniper MX Series

Unfortunately creating a SPAN port on a Juniper MX isn’t as easy as on Cisco kit or even, say an SRX. You need to jump through a few hoops creating a forwarding-options config, a firewall filter and also a bit of a kludge with the SPAN interface by creating a static ARP entry to force traffic out.

Here are some example for IOS/NX-OS and so you can see the difference.

Cisco IOS

monitor session 1 source interface Gi0/13 both
monitor session 1 destination interface Gi0/24

Cisco NX-OS

monitor session 1
  source interface Eth10/34
  destination interface Ethernet10/35
  no shut

interface Eth10/35
 switchport
 switchport monitor

Nice and simple. But not on JunOS. :(

All credit and thanks to this post which made it very easy to understand:
http://pingpros.blogspot.nl/2012/12/multiple-ports-port-mirror-on-juniper.html

Source ports in this example are ge-5/2/7 for the port to be mirrored, and xe-4/3/0 for the port that connects to the wireshark or other monitoring device.

1) Setup the port forwarding option.

set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 1
set forwarding-options port-mirroring family inet output interface xe-4/3/0.0 next-hop 1.1.1.2
set forwarding-options port-mirroring family inet output no-filter-check

2) Create a firewall filter which will mirror the port traffic. I presume term 2 is required so it still allows traffic through as well as port-mirroring.

set firewall family inet filter port-mirror term 1 then port-mirror
set firewall family inet filter port-mirror term 1 then accept
set firewall family inet filter port-mirror term 2 then accept

3) Apply the firewall filter to the port or ports that you want to mirror.

set interfaces ge-5/2/7 unit 0 family inet filter input port-mirror
set interfaces ge-5/2/7 unit 0 family inet filter output port-mirror

4) Configure the SPAN interface with an IP that doesn’t conflict with anything you’re already using within your network and add a dummy arp entry for the next-hop address so traffic is forced out of the interface. Remember to remove any other configuration on this interface beforehand if re-using say, an access port. The MAC address is fictional.

set interfaces xe-4/3/0 unit 0 family inet address 1.1.1.1/30 arp 1.1.1.2 mac 00:11:22:33:44:55

Note that you can add the same config to an existing irb interface to SPAN an irb. This is less painful than trying to do pure L2 span when it’s applicable.

set interfaces irb unit 900 family inet filter input port-mirror
set interfaces irb unit 900 family inet filter output port-mirror

Job done.

UPDATE: It seems Juniper has added “analyzer” functionality in more recent code. I’ll investigate this at a later date.