I ended up heading to the datacenter to try it out, seems to work. This is my best solution for now it seems.
Morgan On Mon, Aug 13, 2012 at 11:41 PM, Morgan McLean <[email protected]> wrote: > Hey everyone.. > > So, I read some things that lead me to believe I could run RSPAN on my > EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack > switches, set the input to the ingress of ge-0/0/0 through 47, and send > that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream > core on an XE. > > I had configured my core 8208 to firewall filter on the ethernet-switching > family input of the top of rack uplink, filtering for vlan-id 998, then > sending to the analyzer which then sends traffic from the multiple switch > uplinks into one central analyzer port. > > The following page is an example of something leading me to believe this > could work: > http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html > > This is what JTAC referred me to: > http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table > > It says port mirror is supported, but enhanced port mirroring is not > (RSPAN?). > > Basically what I ended up experiencing is only traffic that left the top > of rack switch completely was caught (I did TCP dumps to watch traffic). > Port ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0 > trunk to somewhere else in the L2 domain was caught. I do not analyze the > uplink port, so this is some odd behavior. If I just send the analyzer > output to a local port, I get all the traffic and don't experience this > weirdness. > > Either way Juniper says its officially not supported, so I'm up a creek. > > Here is my main problem: How can I now aggregate the analyzer data from > 32+ top of rack switches into a couple 10 gig ports on an appliance? I > realize there are specialized devices that do this, but we spent a lot of > money for our gigamon device that does this. I don't think the security > team wants to buy another one, not to mention that many 10 gig interfaces > would literally cost us 500,000$ with gigamon. > > I am considering throwing up an EX4500 I have laying around, connecting > the analyzer 10G output from every top of rack switch, and then running an > analyzer for all 10G top of rack feeds into one or two analyzer outputs. > Any reason why this wouldn't work? > > Kind of an odd work around..but I don't really have any other options at > the moment. I thought everything was working great today, until I started > noticing some traffic not being displayed. :3 > > Thanks, > Morgan > > > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
