[j-nsp] e320 interfaced based packet mirroring
Diogo Montagner
diogo.montagner at gmail.com
Wed Oct 19 21:59:34 EDT 2011
Hi,
did you apply mirror-enable command ?
Could you please share the output of show secure policy-list
traffic-flows and show tunnel-server ?
You need apply some command like this:
tunnel-server 5/2/0
max-interfaces all-available
!
You need choose one of the LM4 to share its bandwidth for tunnel creations.
Thanks
./diogo -montagner
On Wed, Oct 19, 2011 at 11:50 PM, snort bsd <snortbsd at yahoo.com.au> wrote:
> hi all
>
> i need help on the subject of interfaced based packet mirroring in order to capture transit traffic flows on a certain interfaces.
>
>
> ---------------------------
> | |
>
> | gig11/0/4 {|-------- interface with transit traffic flows
>
> | |
> | gig10/0/1 [|-------- wireshark machine
> | |
>
> | |
>
> -------------------------- |
>
> here are what i have done:
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> 1) physical interface intened to be used for mirroring device - wireshark machine
>
> interface gigabitEthernet 10/0/1
> mtu 1522
> encapsulation vlan
> !
> interface gigabitEthernet 10/0/1.100
> vlan id 100
> ip address 192.168.1.2 255.255.255.252
>
>
>
> 2) logical tunnel interface that redirect mirror traffic flows
>
> interface tunnel gre:pm transport-virtual-router lab
> tunnel source gigabitEthernet 10/0/1.100
> ip analyzer
> ip address 172.16.1.1 255.255.255.252
>
>
>
> 3) stativc route that binds wireshark machine to the tunnel interface
>
> ip route 100.100.100.2/32 TUNNEL gre:pm
>
> -- here 100.100.100.2 is the pseudo address of the wireshark machine.
>
>
>
> 4) policy that is used to capture mirrored traffic flows
>
> secure ip policy-list "traffic-flows"
> classifier-group *
> mirror analyzer-ip-address 100.100.100.2 analyzer-virtual-router lab
>
>
> 5) applying policy to capture transit traffic
>
> interface gigabitEthernet 11/0/4.10
> ...
> ...
> ...
> ip policy secure-input "traffic-flows"
> ip policy secure-output "traffic-flows"
>
>
> 6) result
>
> it doesn't work. where did i do wrong? i tried to install static arp entry but failed:
>
> e320-ida:lab(config)#arp 100.100.100.2 tunnel gre:pm 0010:9400:0001
> ^
> % Invalid input detected at '^' marker.
> e320-ida:lab(config)#
>
>
> i think it failed more than just missing static arp entries. juose docs are quite vague on the subject of interfaced packet mirroring, to say at least. i tried it without gre tunnel (using physical interface gig10/0/1 directly), but i only capture packets destined for the interface gig11/0/4, nothing about transit traffic. with tunnel interface, it just doesn't work at all.
>
> on junos, port mirroring has to go through either virtual interfaces (vt) or logical tunnel interfaces (lt). i assume it is the same for junose based e320
>
> thanks
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list