I'm trying to do basic L2 port mirroring based on the Juniper document called "MX Series Ethernet Services Routers Layer 2 Configuration Guide Release 10.1". I have the following config for L2 port mirroring on an MX80 running 12.2R1.3.
The port-mirroring configuration: mx80> show configuration forwarding-options port-mirroring family vpls output { interface ge-1/3/2.0; } Note that "family vpls" is synonymous to "family bridge" according to the documentation, and that "family bridge" can't be opted here. This is the interface that connects the analyzer server: mx80> show configuration interfaces ge-1/3/2 encapsulation ethernet-bridge; unit 0 { family bridge; } This is the interface I'd like to port mirror, both in and out: mx80> show configuration interfaces ge-1/0/2 encapsulation ethernet-bridge; unit 0 { family bridge { filter { input mirror; output mirror; } } } This is the firewall filter that calls the port-mirror directive: mx80> show configuration firewall family bridge filter mirror term all { then { accept; port-mirror; } } Interface ge-1/0/2 is part of a bridge domain: mx80> show bridge domain interface ge-1/0/2.0 Bridge domain: VLAN100, Index: 2 Logical Outer Inner Sequence Logical Interface VLAN VLAN No Flags ge-1/0/2.0 0 Interface ge-1/3/2 is also part of a bridge domain: mx80> show bridge domain interface ge-1/3/2.0 Bridge domain: analyzers, Index: 4 Logical Outer Inner Sequence Logical Interface VLAN VLAN No Flags ge-1/3/2.0 All seems well: mx80> show forwarding-options port-mirroring Instance Name: &global_instance Instance Id: 1 Input parameters: Rate : 1 Run-length : 1 Maximum-packet-length : 0 Output parameters: Family State Destination Next-hop vpls up ge-1/3/2.0 On the analyzer box, I do a tcpdump on the corresponding interface and I ping the server connected to ge-1/0/2.0 from a server that is not directly connected to the MX80, and I look for ICMP request and reply: [root@analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i 'reply|request' 15:48:23.661173 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 > y.y.198.213: ICMP echo reply, id 50552, seq 0, length 64 15:48:24.662304 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 > y.y.198.213: ICMP echo reply, id 50552, seq 1, length 64 15:48:25.663276 00:1b:21:84:d7:a6 > 80:71:1f:c6:34:f0, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 > y.y.198.213: ICMP echo reply, id 50552, seq 2, length 64 (IP addresses have been anonymized) I see only the ICMP *reply* coming out of the port, not the request. Note that all traffic is tagged with VLAN 100. Then I ping from a host that is connected in the same bridge domain as ge-1/0/2 and in the same subnet, connected to ge-1/3/0.0, and I see: [root@analyzer]# tcpdump -n -i igb0 -e | grep -i icmp | egrep -i 'reply|request' 15:52:52.982512 00:1b:21:86:a5:22 > 00:1b:21:84:d7:a6, ethertype IPv4 (0x0800), length 98: x.x.158.5 > x.x.158.13: ICMP echo request, id 6679, seq 0, length 64 15:52:52.982612 00:1b:21:84:d7:a6 > 00:1b:21:86:a5:22, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, x.x.158.13 > x.x.158.5: ICMP echo reply, id 6679, seq 0, length 64 So there I *am* seeing the request as plain IPv4, and the reply as well which is tagged with VLAN 100 like before. Anyone have any clue as to why I am not seeing traffic going into the port when it originates from outside the router, but only the outbound? Am I missing something here? Thanks, ~paul _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp