[j-nsp] unidirectional L2 port mirror
Paul Vlaar
paul at vlaar.net
Tue Oct 23 16:07:24 EDT 2012
I'm trying to do basic L2 port mirroring based on the Juniper document
called "MX Series Ethernet Services Routers Layer 2 Configuration Guide
Release 10.1". I have the following config for L2 port mirroring on an
MX80 running 12.2R1.3.
The port-mirroring configuration:
mx80> show configuration forwarding-options port-mirroring family vpls
output {
interface ge-1/3/2.0;
}
Note that "family vpls" is synonymous to "family bridge" according to
the documentation, and that "family bridge" can't be opted here.
This is the interface that connects the analyzer server:
mx80> show configuration interfaces ge-1/3/2
encapsulation ethernet-bridge;
unit 0 {
family bridge;
}
This is the interface I'd like to port mirror, both in and out:
mx80> show configuration interfaces ge-1/0/2
encapsulation ethernet-bridge;
unit 0 {
family bridge {
filter {
input mirror;
output mirror;
}
}
}
This is the firewall filter that calls the port-mirror directive:
mx80> show configuration firewall family bridge filter mirror
term all {
then {
accept;
port-mirror;
}
}
Interface ge-1/0/2 is part of a bridge domain:
mx80> show bridge domain interface ge-1/0/2.0
Bridge domain: VLAN100, Index: 2
Logical Outer Inner Sequence Logical
Interface VLAN VLAN No Flags
ge-1/0/2.0 0
Interface ge-1/3/2 is also part of a bridge domain:
mx80> show bridge domain interface ge-1/3/2.0
Bridge domain: analyzers, Index: 4
Logical Outer Inner Sequence Logical
Interface VLAN VLAN No Flags
ge-1/3/2.0
All seems well:
mx80> show forwarding-options port-mirroring
Instance Name: &global_instance
Instance Id: 1
Input parameters:
Rate : 1
Run-length : 1
Maximum-packet-length : 0
Output parameters:
Family State Destination Next-hop
vpls up ge-1/3/2.0
On the analyzer box, I do a tcpdump on the corresponding interface and I
ping the server connected to ge-1/0/2.0 from a server that is not
directly connected to the MX80, and I look for ICMP request and reply:
[root at analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i
'reply|request'
15:48:23.661173 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
y.y.198.213: ICMP echo reply, id 50552, seq 0, length 64
15:48:24.662304 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
y.y.198.213: ICMP echo reply, id 50552, seq 1, length 64
15:48:25.663276 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
y.y.198.213: ICMP echo reply, id 50552, seq 2, length 64
(IP addresses have been anonymized)
I see only the ICMP *reply* coming out of the port, not the request.
Note that all traffic is tagged with VLAN 100.
Then I ping from a host that is connected in the same bridge domain as
ge-1/0/2 and in the same subnet, connected to ge-1/3/0.0, and I see:
[root at analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i
'reply|request'
15:52:52.982512 00:1b:21:86:a5:22 > 00:1b:21:84:d7:a6, ethertype IPv4
(0x0800), length 98: x.x.158.5 > x.x.158.13: ICMP echo request, id 6679,
seq 0, length 64
15:52:52.982612 00:1b:21:84:d7:a6 > 00:1b:21:86:a5:22, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 >
x.x.158.5: ICMP echo reply, id 6679, seq 0, length 64
So there I *am* seeing the request as plain IPv4, and the reply as well
which is tagged with VLAN 100 like before.
Anyone have any clue as to why I am not seeing traffic going into the
port when it originates from outside the router, but only the outbound?
Am I missing something here?
Thanks,
~paul
More information about the juniper-nsp
mailing list