Hey everyone.. So, I read some things that lead me to believe I could run RSPAN on my EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack switches, set the input to the ingress of ge-0/0/0 through 47, and send that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream core on an XE.
I had configured my core 8208 to firewall filter on the ethernet-switching family input of the top of rack uplink, filtering for vlan-id 998, then sending to the analyzer which then sends traffic from the multiple switch uplinks into one central analyzer port. The following page is an example of something leading me to believe this could work: http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html This is what JTAC referred me to: http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table It says port mirror is supported, but enhanced port mirroring is not (RSPAN?). Basically what I ended up experiencing is only traffic that left the top of rack switch completely was caught (I did TCP dumps to watch traffic). Port ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0 trunk to somewhere else in the L2 domain was caught. I do not analyze the uplink port, so this is some odd behavior. If I just send the analyzer output to a local port, I get all the traffic and don't experience this weirdness. Either way Juniper says its officially not supported, so I'm up a creek. Here is my main problem: How can I now aggregate the analyzer data from 32+ top of rack switches into a couple 10 gig ports on an appliance? I realize there are specialized devices that do this, but we spent a lot of money for our gigamon device that does this. I don't think the security team wants to buy another one, not to mention that many 10 gig interfaces would literally cost us 500,000$ with gigamon. I am considering throwing up an EX4500 I have laying around, connecting the analyzer 10G output from every top of rack switch, and then running an analyzer for all 10G top of rack feeds into one or two analyzer outputs. Any reason why this wouldn't work? Kind of an odd work around..but I don't really have any other options at the moment. I thought everything was working great today, until I started noticing some traffic not being displayed. :3 Thanks, Morgan _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp