[j-nsp] How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported?
Morgan McLean
wrx230 at gmail.com
Tue Aug 14 02:41:31 EDT 2012
Hey everyone..
So, I read some things that lead me to believe I could run RSPAN on my
EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack
switches, set the input to the ingress of ge-0/0/0 through 47, and send
that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream
core on an XE.
I had configured my core 8208 to firewall filter on the ethernet-switching
family input of the top of rack uplink, filtering for vlan-id 998, then
sending to the analyzer which then sends traffic from the multiple switch
uplinks into one central analyzer port.
The following page is an example of something leading me to believe this
could work:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html
This is what JTAC referred me to:
http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table
It says port mirror is supported, but enhanced port mirroring is not
(RSPAN?).
Basically what I ended up experiencing is only traffic that left the top of
rack switch completely was caught (I did TCP dumps to watch traffic). Port
ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0 trunk
to somewhere else in the L2 domain was caught. I do not analyze the uplink
port, so this is some odd behavior. If I just send the analyzer output to a
local port, I get all the traffic and don't experience this weirdness.
Either way Juniper says its officially not supported, so I'm up a creek.
Here is my main problem: How can I now aggregate the analyzer data from 32+
top of rack switches into a couple 10 gig ports on an appliance? I realize
there are specialized devices that do this, but we spent a lot of money for
our gigamon device that does this. I don't think the security team wants to
buy another one, not to mention that many 10 gig interfaces would literally
cost us 500,000$ with gigamon.
I am considering throwing up an EX4500 I have laying around, connecting the
analyzer 10G output from every top of rack switch, and then running an
analyzer for all 10G top of rack feeds into one or two analyzer outputs.
Any reason why this wouldn't work?
Kind of an odd work around..but I don't really have any other options at
the moment. I thought everything was working great today, until I started
noticing some traffic not being displayed. :3
Thanks,
Morgan
More information about the juniper-nsp
mailing list