[j-nsp] Layer 2 port mirroring on MX960
Terry Jones
terry.jones at war-eagle.me
Wed Jan 9 22:01:47 EST 2013
Thank you much Siva,
That does explain the missing bridge option. A lot of the documentation I
looked at included the bridge option in the 'forwarding-options
port-mirroring' section, but I am using the vpls option with no success.
I didn't post the mirror interface information as I had nothing configured
under it. After my email, I configured it under 'family bridge
interface-type access' and added the same vlan-id as the monitor port and I
started seeing traffic. However, I'm not sure that this traffic is being
forwarded traffic from the firewall filter, but rather traffic on the vlan
as if the interface is in promiscuous mode. Makes me concerned as it doesn't
seem that I'm seeing all the packets. Also, from the examples and
documentation I've read, it doesn't show configuring the mirror port as
such.
Terry
From: Sivasankar Subbiah <sivasankar.tce at gmail.com>
Date: Wednesday, January 9, 2013 3:18 PM
To: Terry Jones <terry.jones at war-eagle.me>
Cc: <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] Layer 2 port mirroring on MX960
Hi,
as per the Juniper documentation,
Note: Under the [edit forwarding-options port-mirroring instance
pm-instance-name] hierarchy level, the protocol family statement family
bridge is an alias for family vpls. The CLI displays Layer 2 port-mirroring
configurations as family vpls, even for Layer 2 port-mirroring configured as
family bridge.
Cheers
Siva
On 9 January 2013 22:44, Terry Jones <terry.jones at war-eagle.me> wrote:
> Greetings All,
>
>
>
> I am trying to get a port mirror working with no success. I want to
> port-mirror ge-1/0/0 interfaces that is interface-type access.
>
>
>
> When I configure the forwarding-options, there is no longer a bridge
> option.only ccc, inet and vpls. Even though not showing, when I configure
> 'forwarding-options port-mirroring instance wireshark9 family bridge', it
> takes it, but changes it to 'forwarding-options port-mirroring instance
> wireshark9 family vpls'.
>
>
>
> The port-mirror output shows down on the output, but I do see the counters
> increment.
>
>
>
> Any thoughts, ideas or tips would be appreciated.
>
>
>
> tjones at crsw01.cn.sb2# show forwarding-options port-mirroring instance
> wireshark9 | display set
>
> set forwarding-options port-mirroring instance wireshark9 input rate 1
>
> set forwarding-options port-mirroring instance wireshark9 family vpls output
> interface xe-5/2/1.0
>
> set forwarding-options port-mirroring instance wireshark9 family vpls output
> no-filter-check
>
>
>
> tjones at crsw01.cn.sb2# show interfaces ge-1/0/0 | display set
>
> set interfaces ge-1/0/0 unit 0 family bridge filter input wireshark9
>
> set interfaces ge-1/0/0 unit 0 family bridge filter output wireshark9
>
> set interfaces ge-1/0/0 unit 0 family bridge interface-mode access
>
> set interfaces ge-1/0/0 unit 0 family bridge vlan-id 802
>
>
>
> tjones at crsw01.cn.sb2# show firewall family bridge filter wireshark9 |
> display set
>
> set firewall family bridge filter wireshark9 term 1 then count wireshark9
>
> set firewall family bridge filter wireshark9 term 1 then accept
>
> set firewall family bridge filter wireshark9 term 1 then
> port-mirror-instance wireshark9
>
>
>
> tjones at crsw01.cn.sb2# run show forwarding-options port-mirroring wireshark9
>
> Instance Name: wireshark9
>
> Instance Id: 11
>
> Input parameters:
>
> Rate : 1
>
> Run-length : 0
>
> Maximum-packet-length : 0
>
> Output parameters:
>
> Family State Destination Next-hop
>
> vpls down xe-5/2/1.0
>
>
>
> tjones at crsw01.cn.sb2# run show firewall counter wireshark9 filter wireshark9
>
>
>
> Filter: wireshark9
>
> Counters:
>
> Name Bytes
> Packets
>
> wireshark9 80634
> 744
>
>
>
> Thanks,
>
> Terry
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list