[j-nsp] port mirror to multiple ports on MX80 in inet6

Paul Vlaar paul at vlaar.net
Mon Oct 22 16:23:29 EDT 2012 

Chuck,

thanks for the pointer and for the example code. This would definitely
work, but I'd still like to see if I can do this without an additional
switch.

I've been playing with L2 port mirroring and this config came out so far:

mx80# show forwarding-options port-mirroring family vpls
output {
    next-hop-group vpls-mirror-group;
}

mx80# show forwarding-options next-hop-group vpls-mirror-group
group-type layer-2;
interface ge-1/3/5.0;
interface ge-1/3/2.0;

This is one of the analyzer ports:

mx80# show interfaces ge-1/3/2
description meas1:igb0;
encapsulation ethernet-bridge;
unit 0;

They are both in the same bridge domain:

mx80# show bridge-domains meas-servers
domain-type bridge;
interface ge-1/3/2.0;
interface ge-1/3/5.0;

This is the interface which I want to mirror:

mx80# show interfaces ge-1/0/2
description app3.igb0;
encapsulation ethernet-bridge;
unit 0 {
    family bridge {
        filter {
            input mirror;
            output mirror;
        }
    }
}

The filter, applied to both input and output of the above interface,
that calls to port-mirror:

mx80# show firewall family bridge filter mirror
term all {
    then {
        accept;
        port-mirror;
    }
}

When I do a ping from a host on the internet, outside the node, to the
IP address of the server that is connected to ge-1/0/1, I see the ping
being answered. On the analyzer connected to ge-1/3/2 I do a tcpdump and
I see only the ICMP echo reply:

15:53:04.415530 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 >
x.x.x.226: ICMP echo reply, id 19022, seq 30, length 64
15:53:05.416447 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 >
x.x.x.226: ICMP echo reply, id 19022, seq 31, length 64

Why do I not see the ICMP request going out of the port, and only the reply?

The interesting thing is that I do see the ICMP request when I ping from
a host that is directly connected to the router, connected to a port
that is in the same bridge-domain as ge-1/0/2:

16:02:24.160278 00:1b:21:86:a5:22 > 00:1b:21:84:d7:a6, ethertype IPv4
(0x0800), length 98: x.x.x.5 > x.x.x.13: ICMP echo request, id 16139,
seq 0, length 64
16:02:24.160391 00:1b:21:84:d7:a6 > 00:1b:21:86:a5:22, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 > x.x.x.5:
ICMP echo reply, id 16139, seq 0, length 64

Note that the ICMP request is showing as untagged traffic, yet the reply
is in VLAN 100. On the router, ge-1/0/2 is in a bridge-domain with VLAN
id 100. No other ports have the 'mirror' filter applied.

Anybody ever done L2 port mirroring on an MX80 or have a clue as to why
the above is happening?

Thanks,

	~paul


On 20/10/12 6:00 PM, juniper-nsp-request at puck.nether.net wrote:
> Date: Fri, 19 Oct 2012 17:07:42 -0400
> From: Chuck Anderson <cra at WPI.EDU>
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
> Message-ID: <20121019210742.GN2737 at angus.ind.WPI.EDU>
> Content-Type: text/plain; charset=us-ascii
> 
> What I do is plug the monitor (output) port into a switch with a
> separate monitoring VLAN and then set the destination MAC address to
> an unknown one like 02:02:02:02:02:02--the switch will forward all the
> unknown traffic to all ports in the monitoring VLAN.  Works great with
> an EX4200 (on which I'm also using other ports for "normal" traffic):
> 
> MX> show configuration forwarding-options port-mirroring 
> input {
>     rate 1;
>     run-length 0;
> }
> family inet {
>     output {
>         interface ge-0/1/2.0 {
>             next-hop 192.0.2.2;
>         }
>     }
> }
> family inet6 {
>     output {
>         interface ge-0/1/2.0 {
>             next-hop 2001:0db8::2;
>         }
>     }
> }
> 
> MX> show configuration interfaces ge-0/1/2
> unit 0 {
>     family inet {
>         no-redirects;
>         no-neighbor-learn;
>         address 192.0.2.1/30 {
>             arp 192.0.2.2 mac 02:02:02:02:02:02;
>         }
>     }
>     family inet6 {
>         no-neighbor-learn;
>         address 2001:0db8::1/126 {
>             ndp 2001:0db8::2 mac 02:02:02:02:02:02;
>         }
>     }
> }
> 
> EX> show configuration vlans MIRROR 
> vlan-id 2;
> 
> EX> show configuration interfaces ge-0/0/0
> description "mirror from mx ge-0/1/2";
> unit 0 {
>     family ethernet-switching {
>         vlan {
>             members 2;
>         }
>     }
> }
> 
> EX> show configuration interfaces ge-0/0/1
> description "mirror to destination1";
> unit 0 {
>     family ethernet-switching {
>         vlan {
>             members 2;
>         }
>     }
> }
> 
> EX> show configuration interfaces ge-0/0/2
> description "mirror to destination2";
> unit 0 {
>     family ethernet-switching {
>         vlan {
>             members 2;
>         }
>     }
> }
>

More information about the juniper-nsp mailing list