[j-nsp] unidirectional L2 port mirror

ashish verma ashish.scit at gmail.com
Thu Nov 22 15:36:36 EST 2012


Hi Paul

I have noticed the same behavior as well. If you configure Layer 3 port
mirroring then you will see traffic in both directions.



On Wed, Oct 24, 2012 at 7:07 AM, Paul Vlaar <paul at vlaar.net> wrote:

> I'm trying to do basic L2 port mirroring based on the Juniper document
> called "MX Series Ethernet Services Routers Layer 2 Configuration Guide
> Release 10.1".  I have the following config for L2 port mirroring on an
> MX80 running 12.2R1.3.
>
> The port-mirroring configuration:
>
> mx80> show configuration forwarding-options port-mirroring family vpls
> output {
>     interface ge-1/3/2.0;
> }
>
> Note that "family vpls" is synonymous to "family bridge" according to
> the documentation, and that "family bridge" can't be opted here.
>
> This is the interface that connects the analyzer server:
>
> mx80> show configuration interfaces ge-1/3/2
> encapsulation ethernet-bridge;
> unit 0 {
>     family bridge;
> }
>
> This is the interface I'd like to port mirror, both in and out:
>
> mx80> show configuration interfaces ge-1/0/2
> encapsulation ethernet-bridge;
> unit 0 {
>     family bridge {
>         filter {
>             input mirror;
>             output mirror;
>         }
>     }
> }
>
> This is the firewall filter that calls the port-mirror directive:
>
> mx80> show configuration firewall family bridge filter mirror
> term all {
>     then {
>         accept;
>         port-mirror;
>     }
> }
>
> Interface ge-1/0/2 is part of a bridge domain:
>
> mx80> show bridge domain interface ge-1/0/2.0
>
> Bridge domain: VLAN100, Index: 2
> Logical      Outer    Inner    Sequence  Logical
> Interface    VLAN     VLAN     No        Flags
> ge-1/0/2.0                     0
>
> Interface ge-1/3/2 is also part of a bridge domain:
>
> mx80> show bridge domain interface ge-1/3/2.0
>
> Bridge domain: analyzers, Index: 4
> Logical      Outer    Inner    Sequence  Logical
> Interface    VLAN     VLAN     No        Flags
> ge-1/3/2.0
>
> All seems well:
>
> mx80> show forwarding-options port-mirroring
> Instance Name: &global_instance
>   Instance Id: 1
>   Input parameters:
>     Rate                  : 1
>     Run-length            : 1
>     Maximum-packet-length : 0
>   Output parameters:
>     Family      State     Destination          Next-hop
>     vpls        up        ge-1/3/2.0
>
>
> On the analyzer box, I do a tcpdump on the corresponding interface and I
> ping the server connected to ge-1/0/2.0 from a server that is not
> directly connected to the MX80, and I look for ICMP request and reply:
>
> [root at analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i
> 'reply|request'
> 15:48:23.661173 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
> (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
> y.y.198.213: ICMP echo reply, id 50552, seq 0, length 64
> 15:48:24.662304 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
> (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
> y.y.198.213: ICMP echo reply, id 50552, seq 1, length 64
> 15:48:25.663276 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
> (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
> y.y.198.213: ICMP echo reply, id 50552, seq 2, length 64
>
> (IP addresses have been anonymized)
>
> I see only the ICMP *reply* coming out of the port, not the request.
> Note that all traffic is tagged with VLAN 100.
>
> Then I ping from a host that is connected in the same bridge domain as
> ge-1/0/2 and in the same subnet, connected to ge-1/3/0.0, and I see:
>
> [root at analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i
> 'reply|request'
> 15:52:52.982512 00:1b:21:86:a5:22 > 00:1b:21:84:d7:a6, ethertype IPv4
> (0x0800), length 98: x.x.158.5 > x.x.158.13: ICMP echo request, id 6679,
> seq 0, length 64
> 15:52:52.982612 00:1b:21:84:d7:a6 > 00:1b:21:86:a5:22, ethertype 802.1Q
> (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
> x.x.158.5: ICMP echo reply, id 6679, seq 0, length 64
>
> So there I *am* seeing the request as plain IPv4, and the reply as well
> which is tagged with VLAN 100 like before.
>
> Anyone have any clue as to why I am not seeing traffic going into the
> port when it originates from outside the router, but only the outbound?
>
> Am I missing something here?
>
> Thanks,
>
>         ~paul
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list