[j-nsp] e320 interfaced based packet mirroring

snort bsd snortbsd at yahoo.com.au
Wed Oct 19 11:50:25 EDT 2011 

hi all

i need help on the subject of interfaced based packet mirroring in order to capture transit traffic flows on a certain interfaces. 


---------------------------
|                          |

|     gig11/0/4       {|-------- interface with transit traffic flows

|                          |
|     gig10/0/1       [|-------- wireshark machine
|                          |

|                          |

-------------------------- |

here are what i have done:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


1) physical interface intened to be used for mirroring device - wireshark machine

interface gigabitEthernet 10/0/1
 mtu 1522
 encapsulation vlan
!
interface gigabitEthernet 10/0/1.100
 vlan id 100
 ip address 192.168.1.2 255.255.255.252



2) logical tunnel interface that redirect mirror traffic flows

interface tunnel gre:pm transport-virtual-router lab
 tunnel source gigabitEthernet 10/0/1.100
 ip analyzer
 ip address 172.16.1.1 255.255.255.252



3) stativc route that binds wireshark machine to the tunnel interface

ip route 100.100.100.2/32 TUNNEL gre:pm

-- here 100.100.100.2 is the pseudo address of the wireshark machine.



4) policy that is used to capture mirrored traffic flows

secure ip policy-list "traffic-flows"
 classifier-group *
  mirror analyzer-ip-address 100.100.100.2 analyzer-virtual-router lab


5) applying policy to capture transit traffic

interface gigabitEthernet 11/0/4.10
...
...
...
 ip policy secure-input "traffic-flows"
 ip policy secure-output "traffic-flows"


6) result

it doesn't work. where did i do wrong? i tried to install static arp entry but failed:

e320-ida:lab(config)#arp 100.100.100.2 tunnel gre:pm 0010:9400:0001   
                                                                              ^
% Invalid input detected at '^' marker.
e320-ida:lab(config)#


i think it failed more than just missing static arp entries. juose docs are quite vague on the subject of interfaced packet mirroring, to say at least. i tried it without gre tunnel (using physical interface gig10/0/1 directly), but i only capture packets destined for the interface gig11/0/4, nothing about transit traffic. with tunnel interface, it just doesn't work at all.

on junos, port mirroring has to go through either virtual interfaces (vt) or logical tunnel interfaces (lt). i assume it is the same for junose based e320

thanks

More information about the juniper-nsp mailing list