[j-nsp] port mirror to multiple ports on MX80 in inet6

Tue Oct 23 16:59:09 EDT 2012

Paul,

You asked:

"This is the interface which I want to mirror:

mx80# show interfaces ge-1/0/2
description app3.igb0;
encapsulation ethernet-bridge;
unit 0 {
      family bridge {
           filter {
                input mirror;
                output mirror;
                }
           }
      }

...........

When I do a ping from a host on the internet, outside the node, to the
IP address of the server that is connected to ge-1/0/1, I see the ping
being answered. On the analyzer connected to ge-1/3/2 I do a tcpdump and
I see only the ICMP echo reply:

15:53:04.415530 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 >
x.x.x.226: ICMP echo reply, id 19022, seq 30, length 64
15:53:05.416447 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 >
x.x.x.226: ICMP echo reply, id 19022, seq 31, length 64

Why do I not see the ICMP request going out of the port, and only the 
reply?"

---------------------------------------------------

My question for you would be if you have an IRB interface associated with 
the bridge-domain that your mirror source port is in, and if the ICMP 
traffic coming into the router is hitting that IRB.  If that is the case, 
the MX will not treat the traffic coming into your IRB interface via your 
"encapsulation ethernet-bridge" as Layer2 traffic in this context, so it 
will not get mirrored.

-----------------------------------------------------

Also, you asked:

"The interesting thing is that I do see the ICMP request when I ping from
a host that is directly connected to the router, connected to a port
that is in the same bridge-domain as ge-1/0/2:

16:02:24.160278 00:1b:21:86:a5:22 > 00:1b:21:84:d7:a6, ethertype IPv4
(0x0800), length 98: x.x.x.5 > x.x.x.13: ICMP echo request, id 16139,
seq 0, length 64
16:02:24.160391 00:1b:21:84:d7:a6 > 00:1b:21:86:a5:22, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 > x.x.x.5:
ICMP echo reply, id 16139, seq 0, length 64

Note that the ICMP request is showing as untagged traffic, yet the reply
is in VLAN 100. On the router, ge-1/0/2 is in a bridge-domain with VLAN
id 100. No other ports have the 'mirror' filter applied.

Anybody ever done L2 port mirroring on an MX80 or have a clue as to why
the above is happening? "

------------------------------------------------------

With respect to the vlan tagging on the port mirror output interface, the 
L2 packet being mirrored will egress with the original vlan tag intact, 
no matter what vlan id you configure on the mirror destination interface.

However, if you insert the "vlan-id" keyword into the "bridge-domain" 
configuration, you can manipulate the vlan tag that gets egressed out of 
your mirror destination port.  But if the "vlan-id" in the bridge domain 
is the same as the vlan-id of the mirror destination port, the original 
packet vlan-id gets preserved on output.

I have not tested this, but my guess is that this might also apply to 
packets being mirrored that are untagged at the source.

Port mirroring on this platform is enough to make your head spin.

I am working with 11.4R5.5 on an MX-80.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187