Re: [j-nsp] MX loopback filter and monitor traffic
If all of the traffic that comes into the router to the RE via these exposed Layer3 interfaces eventually makes it way to the RE via the loopback address, at unit 0, why is that the monitor traffic command does not show me anything?Why is the loopback interface so special? JUNOS lo0 is not the same as CSCO Loopback[0-9][0-9]* (note lowercase/uppercase L and numbers). In JUNOS, the traffic is never looped back via lo0 unlike in IOS Loopback[0-9][0-9]*. Therefore, it is not possible to: 1/ use monitor traffic interface on JUNOS lo0 2/ use NAT-on-a-stick with JUNOS lo0 3/ loop the VoIP call thru JUNOS lo0 in Cisco IOS dial-peer style 4/ use FBF for traffic originated from the RE itself HTH regards Alex ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX loopback filter and monitor traffic
I have a question about how the monitor traffic capability works on the loopback interface, particularly with respect to a filter. If write a filter, such as under a firewall family inet filter re-protect stanza, and apply it to the loopback address, unit 0: set interfaces lo0 unit 0 family inet filter input re-protect I can see traffic hitting the filter, if I have any counters configured in the filter. I can see that the traffic coming into the filter is getting to the RE via any IRBs or other layer 3 interfaces that are terminated on the MX. I can do a monitor traffic on any of these layer 3 interfaces on the input side and see the relevant traffic (to and/or from the RE). However, if I do a monitor traffic on the loopback interface itself, I see nothing: MX monitor traffic interface lo0.0 no-resolve no-domain-names verbose output suppressed, use detail or extensive for full protocol decode Address resolution is OFF. Listening on lo0.0, capture size 96 bytes ^C 0 packets received by filter 0 packets dropped by kernel If all of the traffic that comes into the router to the RE via these exposed Layer3 interfaces eventually makes it way to the RE via the loopback address, at unit 0, why is that the monitor traffic command does not show me anything?Why is the loopback interface so special? Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX loopback filter and monitor traffic
On Thu, Jun 16, 2011 at 10:53 AM, Clarke Morledge chm...@wm.edu wrote: However, if I do a monitor traffic on the loopback interface itself, I see nothing: I like to think of monitor traffic as something which is nice when it works the way I hope it will, but isn't something to really get concerned about when it doesn't behave as expected. If you really need detailed information to debug a problem, mirroring traffic to an interface (or a GRE tunnel, etc.) and doing packet capture on a PC is more reliable than betting on the output of monitor traffic. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX loopback filter and monitor traffic
Hi Clarke, One thing you forgot to mention is if your re-protect filter is actually discarding the traffic or not. However, assuming that you are discarding, the reason you are not seeing the traffic via the monitor command is because the traffic destined to the RE is not actually being filtered on the RE itself but is actually being filtered at the PFE. When you commit the config, the compiled filter is pushed down to microkernel on PFE so anything destined to the RE can be filtered via forwarding plane hardware. You can see counters because those are actually gathered at PFE and then the statistics are sent to the RE. Hope this makes sense. Sorry for the top post, I am on my Android. Stefan Fouant GPG Key ID: 0xB4C956EC Sent from my HTC EVO. - Reply message - From: Clarke Morledge chm...@wm.edu Date: Thu, Jun 16, 2011 10:53 am Subject: [j-nsp] MX loopback filter and monitor traffic To: juniper-nsp@puck.nether.net I have a question about how the monitor traffic capability works on the loopback interface, particularly with respect to a filter. If write a filter, such as under a firewall family inet filter re-protect stanza, and apply it to the loopback address, unit 0: set interfaces lo0 unit 0 family inet filter input re-protect I can see traffic hitting the filter, if I have any counters configured in the filter. I can see that the traffic coming into the filter is getting to the RE via any IRBs or other layer 3 interfaces that are terminated on the MX. I can do a monitor traffic on any of these layer 3 interfaces on the input side and see the relevant traffic (to and/or from the RE). However, if I do a monitor traffic on the loopback interface itself, I see nothing: MX monitor traffic interface lo0.0 no-resolve no-domain-names verbose output suppressed, use detail or extensive for full protocol decode Address resolution is OFF. Listening on lo0.0, capture size 96 bytes ^C 0 packets received by filter 0 packets dropped by kernel If all of the traffic that comes into the router to the RE via these exposed Layer3 interfaces eventually makes it way to the RE via the loopback address, at unit 0, why is that the monitor traffic command does not show me anything?Why is the loopback interface so special? Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp