Unfortunately creating a SPAN port on a Juniper MX isn’t as easy as on Cisco kit or even, say an SRX. You need to jump through a few hoops creating a forwarding-options config, a firewall filter and also a bit of a kludge with the SPAN interface by creating a static ARP entry to force traffic out.
Here are some example for IOS/NX-OS and so you can see the difference.
monitor session 1 source interface Gi0/13 both monitor session 1 destination interface Gi0/24
monitor session 1 source interface Eth10/34 destination interface Ethernet10/35 no shut interface Eth10/35 switchport switchport monitor
Nice and simple. But not on JunOS. :(
All credit and thanks to this post which made it very easy to understand:
Source ports in this example are ge-5/2/7 for the port to be mirrored, and xe-4/3/0 for the port that connects to the wireshark or other monitoring device.
1) Setup the port forwarding option.
set forwarding-options port-mirroring input rate 1 set forwarding-options port-mirroring input run-length 1 set forwarding-options port-mirroring family inet output interface xe-4/3/0.0 next-hop 220.127.116.11 set forwarding-options port-mirroring family inet output no-filter-check
2) Create a firewall filter which will mirror the port traffic. I presume term 2 is required so it still allows traffic through as well as port-mirroring.
set firewall family inet filter port-mirror term 1 then port-mirror set firewall family inet filter port-mirror term 1 then accept set firewall family inet filter port-mirror term 2 then accept
3) Apply the firewall filter to the port or ports that you want to mirror.
set interfaces ge-5/2/7 unit 0 family inet filter input port-mirror set interfaces ge-5/2/7 unit 0 family inet filter output port-mirror
4) Configure the SPAN interface with an IP that doesn’t conflict with anything you’re already using within your network and add a dummy arp entry for the next-hop address so traffic is forced out of the interface. Remember to remove any other configuration on this interface beforehand if re-using say, an access port. The MAC address is fictional.
set interfaces xe-4/3/0 unit 0 family inet address 18.104.22.168/30 arp 22.214.171.124 mac 00:11:22:33:44:55
Note that you can add the same config to an existing irb interface to SPAN an irb. This is less painful than trying to do pure L2 span when it’s applicable.
set interfaces irb unit 900 family inet filter input port-mirror set interfaces irb unit 900 family inet filter output port-mirror
UPDATE: It seems Juniper has added “analyzer” functionality in more recent code. I’ll investigate this at a later date.