[j-nsp] How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported?

Tue Aug 14 04:48:58 EDT 2012

I ended up heading to the datacenter to try it out, seems to work. This is
my best solution for now it seems.

Morgan

On Mon, Aug 13, 2012 at 11:41 PM, Morgan McLean <wrx230 at gmail.com> wrote:

> Hey everyone..
>
> So, I read some things that lead me to believe I could run RSPAN on my
> EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack
> switches, set the input to the ingress of ge-0/0/0 through 47, and send
> that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream
> core on an XE.
>
> I had configured my core 8208 to firewall filter on the ethernet-switching
> family input of the top of rack uplink, filtering for vlan-id 998, then
> sending to the analyzer which then sends traffic from the multiple switch
> uplinks into one central analyzer port.
>
> The following page is an example of something leading me to believe this
> could work:
> http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html
>
> This is what JTAC referred me to:
> http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table
>
> It says port mirror is supported, but enhanced port mirroring is not
> (RSPAN?).
>
> Basically what I ended up experiencing is only traffic that left the top
> of rack switch completely was caught (I did TCP dumps to watch traffic).
> Port ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0
> trunk to somewhere else in the L2 domain was caught. I do not analyze the
> uplink port, so this is some odd behavior. If I just send the analyzer
> output to a local port, I get all the traffic and don't experience this
> weirdness.
>
> Either way Juniper says its officially not supported, so I'm up a creek.
>
> Here is my main problem: How can I now aggregate the analyzer data from
> 32+ top of rack switches into a couple 10 gig ports on an appliance? I
> realize there are specialized devices that do this, but we spent a lot of
> money for our gigamon device that does this. I don't think the security
> team wants to buy another one, not to mention that many 10 gig interfaces
> would literally cost us 500,000$ with gigamon.
>
> I am considering throwing up an EX4500 I have laying around, connecting
> the analyzer 10G output from every top of rack switch, and then running an
> analyzer for all 10G top of rack feeds into one or two analyzer outputs.
> Any reason why this wouldn't work?
>
> Kind of an odd work around..but I don't really have any other options at
> the moment. I thought everything was working great today, until I started
> noticing some traffic not being displayed. :3
>
> Thanks,
> Morgan
>
>
>