[j-nsp] e320 interfaced based packet mirroring

Diogo Montagner diogo.montagner at gmail.com
Wed Oct 19 21:59:34 EDT 2011


Hi,

did you apply mirror-enable command ?

Could you please share the output of show secure policy-list
traffic-flows and show tunnel-server ?

You need apply some command like this:

tunnel-server 5/2/0
 max-interfaces all-available
!

You need choose one of the LM4 to share its bandwidth for tunnel creations.

Thanks

./diogo -montagner



On Wed, Oct 19, 2011 at 11:50 PM, snort bsd <snortbsd at yahoo.com.au> wrote:
> hi all
>
> i need help on the subject of interfaced based packet mirroring in order to capture transit traffic flows on a certain interfaces.
>
>
> ---------------------------
> |                          |
>
> |     gig11/0/4       {|-------- interface with transit traffic flows
>
> |                          |
> |     gig10/0/1       [|-------- wireshark machine
> |                          |
>
> |                          |
>
> -------------------------- |
>
> here are what i have done:
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> 1) physical interface intened to be used for mirroring device - wireshark machine
>
> interface gigabitEthernet 10/0/1
>  mtu 1522
>  encapsulation vlan
> !
> interface gigabitEthernet 10/0/1.100
>  vlan id 100
>  ip address 192.168.1.2 255.255.255.252
>
>
>
> 2) logical tunnel interface that redirect mirror traffic flows
>
> interface tunnel gre:pm transport-virtual-router lab
>  tunnel source gigabitEthernet 10/0/1.100
>  ip analyzer
>  ip address 172.16.1.1 255.255.255.252
>
>
>
> 3) stativc route that binds wireshark machine to the tunnel interface
>
> ip route 100.100.100.2/32 TUNNEL gre:pm
>
> -- here 100.100.100.2 is the pseudo address of the wireshark machine.
>
>
>
> 4) policy that is used to capture mirrored traffic flows
>
> secure ip policy-list "traffic-flows"
>  classifier-group *
>   mirror analyzer-ip-address 100.100.100.2 analyzer-virtual-router lab
>
>
> 5) applying policy to capture transit traffic
>
> interface gigabitEthernet 11/0/4.10
> ...
> ...
> ...
>  ip policy secure-input "traffic-flows"
>  ip policy secure-output "traffic-flows"
>
>
> 6) result
>
> it doesn't work. where did i do wrong? i tried to install static arp entry but failed:
>
> e320-ida:lab(config)#arp 100.100.100.2 tunnel gre:pm 0010:9400:0001
>                                                                               ^
> % Invalid input detected at '^' marker.
> e320-ida:lab(config)#
>
>
> i think it failed more than just missing static arp entries. juose docs are quite vague on the subject of interfaced packet mirroring, to say at least. i tried it without gre tunnel (using physical interface gig10/0/1 directly), but i only capture packets destined for the interface gig11/0/4, nothing about transit traffic. with tunnel interface, it just doesn't work at all.
>
> on junos, port mirroring has to go through either virtual interfaces (vt) or logical tunnel interfaces (lt). i assume it is the same for junose based e320
>
> thanks
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list