[j-nsp] port mirror to multiple ports on MX80 in inet6
Paul Vlaar
paul at vlaar.net
Mon Nov 12 07:03:36 EST 2012
Clarke,
On 9/11/12 11:37 PM, Clarke Morledge wrote:
> "If the packet's L2 destination MAC matches the router's IRB MAC
> address.... Its important to note that any bridge family filters applied
> to the related Layer 2 IFLs, or to the FT [forwarding table] in the BD
> itself, are not evaluated or processed for routed traffic, even though
> that traffic may ingress on a Layer 2 interface where a Layer 2 input
> filter is applied."
Thing is I could see echo replies coming back from the bridge domain
interfaces via the IRB, but not the outgoing icmp echo requests. So it
appears this works the other way around than what it says above.
In the mean while, Juniper TAC have told me:
"I have done some research and found out that We can mirror l2 packet
entering IRB from the bridge domain but reverse is not possible. For the
reverse traffic L3 packets entering IRB => bridge-domain, you can mirror
it using "family inet filter ouput" on the IRB interface. But this will
mirror at L3 level (IPv4 traffic), and will not preserve the L2 headers."
That seems to confirm the behaviour I saw.
Given this inconsistent behaviour I've let L2 mirroring for what it was.
I only looked at L2 mirroring as an alternative to L3 as I found v6
wasn't supporting next-hop-group (as the goal was to mirror to multiple
analyzers). I've solved the whole issue of not being able to port mirror
v6 to multiple analyzers with a workaround though. By using L3 mirroring
and a virtual switch and an "unlearnable" MAC address, and this then
copies to as many ports as the virtual switch has.
~paul
More information about the juniper-nsp
mailing list