Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Clarke,

On 9/11/12 11:37 PM, Clarke Morledge wrote:
 If the packet's L2 destination MAC matches the router's IRB MAC
 address Its important to note that any bridge family filters applied
 to the related Layer 2 IFLs, or to the FT [forwarding table] in the BD
 itself, are not evaluated or processed for routed traffic, even though
 that traffic may ingress on a Layer 2 interface where a Layer 2 input
 filter is applied.

Thing is I could see echo replies coming back from the bridge domain
interfaces via the IRB, but not the outgoing icmp echo requests. So it
appears this works the other way around than what it says above.

In the mean while, Juniper TAC have told me:

I have done some research and found out that We can mirror l2 packet
entering IRB from the bridge domain but reverse is not possible. For the
reverse traffic L3 packets entering IRB = bridge-domain, you can mirror
it using family inet filter ouput on the IRB interface. But this will
mirror at L3 level (IPv4 traffic), and will not preserve the L2 headers.

That seems to confirm the behaviour I saw.

Given this inconsistent behaviour I've let L2 mirroring for what it was.
I only looked at L2 mirroring as an alternative to L3 as I found v6
wasn't supporting next-hop-group (as the goal was to mirror to multiple
analyzers). I've solved the whole issue of not being able to port mirror
v6 to multiple analyzers with a workaround though. By using L3 mirroring
and a virtual switch and an unlearnable MAC address, and this then
copies to as many ports as the virtual switch has.

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Clarke Morledge]

Paul,

Just to come full circle on that IRB issue and L2 port mirroring.  From 
page 213 in Hanks and Reynolds _Juniper MX Series_:


If the packet's L2 destination MAC matches the router's IRB MAC 
address Its important to note that any bridge family filters applied 
to the related Layer 2 IFLs, or to the FT [forwarding table] in the BD 
itself, are not evaluated or processed for routed traffic, even though 
that traffic may ingress on a Layer 2 interface where a Layer 2 input 
filter is applied.


Thanks sounds pretty authoritative.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Clarke,

I'm not sure you understood my topology 100%, but let me summarize things:

This is what the topology looks like:

  [ Cisco ]
 x.x.158.194/30
  |
 x.x.158.193/30
   ge-1/3/11
  |
   [ MX80 ]  irb.100: x.x.158.1/26
  /   \
ge-1/0/2   ge-1/3/0
x.x.158.13/26   x.x.158.5/26
host1   host2

I hope that diagram is readable, and I couldn't really fit this into the
drawing nicely, but some additional data:

- analyzer host is connected to ge-1/3/2
- the filter that calls port-mirror is only on ge-1/0/2
- ge-1/0/2 and ge-1/3/0 are in the same bridge domain.

So the Cisco isn't hanging off ge-1/0/2, but comes in at ge-1/3/11.

- echo request from .194 to .13 can't be seen on the analyzer, but the
reply *is* seen.

- echo request from .5 to .13 *can* be seen, and so can the reply.

So you're saying that when we come in on ge-1/3/11 via L3 and go out to
ge-1/0/2, because we traverse into the bridge domain and come from L3,
this is not being mirrored? Somehow I am reading your description as the
other way around though, but I can understand the logic behind this.

I could go for L3 mirroring for the irb.100 interface, but the whole
thing that started this thread for me was that I can't mirror to more
than one next-hop for inet6 (inet has next-hop-group available, but not
inet6), and so I started looking for an alternative way, such as via L2.

What I've done now is followed Chuck Anderson's example of just plugging
the analyzer output port into another switch where the 2 analyzer hosts
are also connected. And then setting the next-hop MAC address to an
unknown to keep the traffic flooding.  However I don't use a real
switch, but just cross-connect to another port on the same MX80, which
is part of a virtual switch, and into which I've also plugged the 2
analyzer servers.

So I got what I want, which is L3 mirroring for both v4 and v6 to more
than one analyzer box, at the cost of an extra patch cable and 3 GE
ports on the MX80. Kind of a hack, but it works.

This is actually better since we're only interested in traffic dumping
for specific TCP/UDP port numbers, but it would still be nice to know
what exactly was going on with the L2 results.

   ~paul






On 24/10/12 8:30 PM, Clarke Morledge wrote:
 Paul,
 
 In your last example, assuming that your cisco router is hanging off
 your mirror source port, ge-1/0/2, it makes sense from my experience
 that your x.x.158.13  x.x.158.194: ICMP echo reply shows up in your
 mirror output, as I mentioned earlier, but not the ICMP echo request in
 the other direction.  The echo request enters your L2 configured port,
 but since it then crosses a subnet boundary by hitting your irb.100, the
 MX will not treat it as L2 any more for mirroring purposes.
 
 So if you do a Layer3 port mirror with irb.100 as your mirror source,
 you should be able to see the packet.
 
 Traffic coming out of the IRB egressing out the L2 mirror source port
 gets treated as L2, which is why the L2 mirror works in that direction. 
 There is something about the way Integrated Routing and Bridging works
 that accounts for this, but I do not fully understand it.
 
 With respect to the vlan tag/un-tag, because you changed the vlan-id to
 1000 in the bridge-domain, as the original packet had a vlan tag of 100,
 this changes the mirrored packet.  It shows up on the mirror output as
 untagged because your encapsulation ethernet-bridge on the interface
 will not tag the packet.
 
 I use the encapsulation flexible-ethernet-services with
 flexible-vlan-tagging and I am able to change the vlan-id of the
 mirrored output if I need to do that.
 
 The other cases you describe have me scratching my head as to what is
 up, but I've seen other weird things with layer2 mirroring that do not
 make much sense to me.  So as to why the behavior between x.x.158.13 and
 x.x.158.5 is reversed now is really puzzling, particularly since traffic
 in both directions should just be L2.
 
 It bugs me that the L2 port mirror examples in the web documentation are
 really poor.  They have made some improvements recently, but Juniper
 really needs to step up and cover these different scenarios in detail.
 Typically, I need to set up a port mirror on the fly for a quick look,
 but unfortunately, I end up messing with JTAC for several weeks trying
 to get something to work that takes about 5 minutes on a Cisco platform.
 
 The flexibility of the Junos platform allows for some complex mirroring,
 which is great, but I have wasted a lot of time trying to get a handle
 on this port mirroring thing and still do not get it. where I can
 afford it, I just say Forget it, I'll stick with a tap.
 
 If you can make any better heads or tails out of this, I'd like to hear
 about it.
 
 Clarke Morledge
 College of William and Mary
 Information Technology - Network Engineering
 Jones Hall (Room 18)
 Williamsburg VA 23187
 
 On Tue, 23 Oct 2012, Paul Vlaar wrote:
 
 On 23/10/12 10:59 PM, 

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Clarke Morledge]

Paul,

In your last example, assuming that your cisco router is hanging off your 
mirror source port, ge-1/0/2, it makes sense from my experience that your 
x.x.158.13  x.x.158.194: ICMP echo reply shows up in your mirror 
output, as I mentioned earlier, but not the ICMP echo request in the other 
direction.  The echo request enters your L2 configured port, but since it 
then crosses a subnet boundary by hitting your irb.100, the MX will not 
treat it as L2 any more for mirroring purposes.


So if you do a Layer3 port mirror with irb.100 as your mirror source, you 
should be able to see the packet.


Traffic coming out of the IRB egressing out the L2 mirror source port gets 
treated as L2, which is why the L2 mirror works in that direction.  There 
is something about the way Integrated Routing and Bridging works that 
accounts for this, but I do not fully understand it.


With respect to the vlan tag/un-tag, because you changed the vlan-id to 
1000 in the bridge-domain, as the original packet had a vlan tag of 100, 
this changes the mirrored packet.  It shows up on the mirror output as 
untagged because your encapsulation ethernet-bridge on the interface 
will not tag the packet.


I use the encapsulation flexible-ethernet-services with 
flexible-vlan-tagging and I am able to change the vlan-id of the 
mirrored output if I need to do that.


The other cases you describe have me scratching my head as to what is up, 
but I've seen other weird things with layer2 mirroring that do not make 
much sense to me.  So as to why the behavior between x.x.158.13 and 
x.x.158.5 is reversed now is really puzzling, particularly since traffic 
in both directions should just be L2.


It bugs me that the L2 port mirror examples in the web documentation are 
really poor.  They have made some improvements recently, but Juniper 
really needs to step up and cover these different scenarios in detail. 
Typically, I need to set up a port mirror on the fly for a quick look, but 
unfortunately, I end up messing with JTAC for several weeks trying to get 
something to work that takes about 5 minutes on a Cisco platform.


The flexibility of the Junos platform allows for some complex mirroring, 
which is great, but I have wasted a lot of time trying to get a handle on 
this port mirroring thing and still do not get it. where I can afford 
it, I just say Forget it, I'll stick with a tap.


If you can make any better heads or tails out of this, I'd like to hear 
about it.


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

On Tue, 23 Oct 2012, Paul Vlaar wrote:


On 23/10/12 10:59 PM, Clarke Morledge wrote:

---
My question for you would be if you have an IRB interface associated
with the bridge-domain that your mirror source port is in, and if the
ICMP traffic coming into the router is hitting that IRB.  If that is the
case, the MX will not treat the traffic coming into your IRB interface
via your encapsulation ethernet-bridge as Layer2 traffic in this
context, so it will not get mirrored.
-


There is indeed an IRB associated with the bridge-domain of the port to
be mirrored:

mx80 show configuration bridge-domains VLAN100 routing-interface
routing-interface irb.100;


show configuration interfaces irb.100

family inet {
   address x.x.158.1/26;
}

A traceroute from another router that is one L3 hop away from the MX80,
to the IP address of the host connected to the interface that we're
doing the port mirror on:

cisco#traceroute x.x.158.13
Type escape sequence to abort.
Tracing the route to 199.115.158.13
VRF info: (vrf in name/id, vrf out name/id)
 1 x.x.158.193 0 msec 0 msec 0 msec
 2 x.x.158.13 0 msec 0 msec 0 msec
cisco#

x.x.158.193 is the address of the point to point link at the MX80, and
x.x.158.13 is the IP address of the mirrored host.

So as far as I can see it's not hitting the irb.100 address, however it
is doing this on the return, as it's the default gateway out of the host
at x.x.158.13. But the return is where we catch the ICMP reply, so that
part works.

To be complete here, this is the L3 interface where the traffic comes in
from the other router:

mx80 show configuration interfaces ge-1/3/11
unit 0 {
   family inet {
   address x.x.158.193/30;
   }
}

And this is the FIB entry for the target host:

mx80 show route forwarding-table destination x.x.158.13
Routing table: default.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef Netif
x.x.158.13/32  dest 1 0:1b:21:84:d7:a6   ucst   768 4 ge-1/0/2.0

Routing table: default-switch.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef Netif
defaultperm 0rjct   538 1

Routing table: __master.anon__.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef 

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Clarke Morledge]

Paul,

It occurred to me after my last testing of the L2 port mirroring feature 
that perhaps the issue involving traffic that also hits an IRB along the 
way could be related to behaviorial differences between different versions 
of Junos and different chipsets.


In my previous tests that showed  Layer2 port mirroring only working for 
egress packets and NOT for ingress packets destined for the IRB was on the 
MX 240 platform (not MX80) with I-Chip and therefore NOT Trio.   At that 
time, I was also running 10.2.


I tried the same type of setup again with I-Chip based hardware using 
10.4R10.7 and now I can not get the layer2 port mirroring to pick up 
anything when there is an IRB involved.


However, if I do the same type of configuration using an MX-80 (Trio) I 
get the type of results you got the first time:   packets on ingress that 
hit the IRB get mirrored at layer2, but packets that egress from the IRB 
do not.  This is using 11.4R5.5.


Fortunately, using layer3 port mirroring off of the IRB does appear to 
work in all configurations/hardware that I have tested.   But it sure is 
confusing.



Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

This is another way to possibly port mirror in L2 to multiple ports:

http://www.juniper.net/techpubs/software/junos/junos95/swconfig-layer-2/id-l2-mirror-next-hop-example.html#id-l2-mirror-next-hop-example

Roughly following the example code for the firewall filter, I get:

[edit firewall family inet filter collect_pkts term ftp-term]
mx80# show
from {
protocol tcp;
port 21;
}
##
## Warning: statement ignored: unsupported platform (mx80-48t)
##
then next-hop-group default-collect;


So here's another MX80 weirdy: apparently next-hop-group is not
supported within firewall filters. Anyone here ran into this one yet,
and found a workaround?

This is on 12.2R1.3.

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Clarke Morledge]

Paul,

You asked:

This is the interface which I want to mirror:

mx80# show interfaces ge-1/0/2
description app3.igb0;
encapsulation ethernet-bridge;
unit 0 {
 family bridge {
  filter {
   input mirror;
   output mirror;
   }
  }
 }

...

When I do a ping from a host on the internet, outside the node, to the
IP address of the server that is connected to ge-1/0/1, I see the ping
being answered. On the analyzer connected to ge-1/3/2 I do a tcpdump and
I see only the ICMP echo reply:

15:53:04.415530 00:1b:21:84:d7:a6  80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 
x.x.x.226: ICMP echo reply, id 19022, seq 30, length 64
15:53:05.416447 00:1b:21:84:d7:a6  80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 
x.x.x.226: ICMP echo reply, id 19022, seq 31, length 64

Why do I not see the ICMP request going out of the port, and only the 
reply?


---

My question for you would be if you have an IRB interface associated with 
the bridge-domain that your mirror source port is in, and if the ICMP 
traffic coming into the router is hitting that IRB.  If that is the case, 
the MX will not treat the traffic coming into your IRB interface via your 
encapsulation ethernet-bridge as Layer2 traffic in this context, so it 
will not get mirrored.



-

Also, you asked:

The interesting thing is that I do see the ICMP request when I ping from
a host that is directly connected to the router, connected to a port
that is in the same bridge-domain as ge-1/0/2:

16:02:24.160278 00:1b:21:86:a5:22  00:1b:21:84:d7:a6, ethertype IPv4
(0x0800), length 98: x.x.x.5  x.x.x.13: ICMP echo request, id 16139,
seq 0, length 64
16:02:24.160391 00:1b:21:84:d7:a6  00:1b:21:86:a5:22, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13  x.x.x.5:
ICMP echo reply, id 16139, seq 0, length 64

Note that the ICMP request is showing as untagged traffic, yet the reply
is in VLAN 100. On the router, ge-1/0/2 is in a bridge-domain with VLAN
id 100. No other ports have the 'mirror' filter applied.

Anybody ever done L2 port mirroring on an MX80 or have a clue as to why
the above is happening? 

--

With respect to the vlan tagging on the port mirror output interface, the 
L2 packet being mirrored will egress with the original vlan tag intact, 
no matter what vlan id you configure on the mirror destination interface.


However, if you insert the vlan-id keyword into the bridge-domain 
configuration, you can manipulate the vlan tag that gets egressed out of 
your mirror destination port.  But if the vlan-id in the bridge domain 
is the same as the vlan-id of the mirror destination port, the original 
packet vlan-id gets preserved on output.


I have not tested this, but my guess is that this might also apply to 
packets being mirrored that are untagged at the source.


Port mirroring on this platform is enough to make your head spin.

I am working with 11.4R5.5 on an MX-80.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Clarke,

thanks for your response.

On 23/10/12 10:59 PM, Clarke Morledge wrote:
 ---
 My question for you would be if you have an IRB interface associated
 with the bridge-domain that your mirror source port is in, and if the
 ICMP traffic coming into the router is hitting that IRB.  If that is the
 case, the MX will not treat the traffic coming into your IRB interface
 via your encapsulation ethernet-bridge as Layer2 traffic in this
 context, so it will not get mirrored.
 -

There is indeed an IRB associated with the bridge-domain of the port to
be mirrored:

mx80 show configuration bridge-domains VLAN100 routing-interface
routing-interface irb.100;

 show configuration interfaces irb.100
family inet {
address x.x.158.1/26;
}

A traceroute from another router that is one L3 hop away from the MX80,
to the IP address of the host connected to the interface that we're
doing the port mirror on:

cisco#traceroute x.x.158.13
Type escape sequence to abort.
Tracing the route to 199.115.158.13
VRF info: (vrf in name/id, vrf out name/id)
  1 x.x.158.193 0 msec 0 msec 0 msec
  2 x.x.158.13 0 msec 0 msec 0 msec
cisco#

x.x.158.193 is the address of the point to point link at the MX80, and
x.x.158.13 is the IP address of the mirrored host.

So as far as I can see it's not hitting the irb.100 address, however it
is doing this on the return, as it's the default gateway out of the host
at x.x.158.13. But the return is where we catch the ICMP reply, so that
part works.

To be complete here, this is the L3 interface where the traffic comes in
from the other router:

mx80 show configuration interfaces ge-1/3/11
unit 0 {
family inet {
address x.x.158.193/30;
}
}

And this is the FIB entry for the target host:

mx80 show route forwarding-table destination x.x.158.13
Routing table: default.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef Netif
x.x.158.13/32  dest 1 0:1b:21:84:d7:a6   ucst   768 4 ge-1/0/2.0

Routing table: default-switch.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef Netif
defaultperm 0rjct   538 1

Routing table: __master.anon__.inet
Internet:
DestinationType RtRef Next hop   Type Index NhRef Netif
defaultperm 0rjct   529 1


 --
 
 With respect to the vlan tagging on the port mirror output interface,
 the L2 packet being mirrored will egress with the original vlan tag
 intact, no matter what vlan id you configure on the mirror destination
 interface.
 
 However, if you insert the vlan-id keyword into the bridge-domain
 configuration, you can manipulate the vlan tag that gets egressed out of
 your mirror destination port.  But if the vlan-id in the bridge domain
 is the same as the vlan-id of the mirror destination port, the original
 packet vlan-id gets preserved on output.

I've tried setting vlan-id on the bridge-domain for the analyzer port:

[edit bridge-domains analyzers]
mx80# show
domain-type bridge;
vlan-id 1000;
interface ge-1/3/2.0;

After I commit, when I ping from the host connected to the same bridge
domain as the mirrored port, where before I could see the ICMP request
go in as well, I now only see the reply:

17:22:26.067209 00:1b:21:84:d7:a6  00:1b:21:86:a5:22, ethertype IPv4
(0x0800), length 98: x.x.158.13  x.x.158.5: ICMP echo reply, id 56599,
seq 2, length 64
17:22:27.067850 00:1b:21:84:d7:a6  00:1b:21:86:a5:22, ethertype IPv4
(0x0800), length 98: x.x.158.13  x.x.158.5: ICMP echo reply, id 56599,
seq 3, length 64

And what's more it is untagged now.

The same for pinging from the cisco router:

17:25:22.720228 00:1b:21:84:d7:a6  80:71:1f:c6:34:f0, ethertype IPv4
(0x0800), length 114: x.x.158.13  x.x.158.194: ICMP echo reply, id 33,
seq 2, length 80

(previously this was tagged as well)

So perhaps a trick can be found here to make this work both ways...

 I have not tested this, but my guess is that this might also apply to
 packets being mirrored that are untagged at the source.
 
 Port mirroring on this platform is enough to make your head spin.

I unfortunately have to agree on that.

~paul

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Chuck,

thanks for the pointer and for the example code. This would definitely
work, but I'd still like to see if I can do this without an additional
switch.

I've been playing with L2 port mirroring and this config came out so far:

mx80# show forwarding-options port-mirroring family vpls
output {
next-hop-group vpls-mirror-group;
}

mx80# show forwarding-options next-hop-group vpls-mirror-group
group-type layer-2;
interface ge-1/3/5.0;
interface ge-1/3/2.0;

This is one of the analyzer ports:

mx80# show interfaces ge-1/3/2
description meas1:igb0;
encapsulation ethernet-bridge;
unit 0;

They are both in the same bridge domain:

mx80# show bridge-domains meas-servers
domain-type bridge;
interface ge-1/3/2.0;
interface ge-1/3/5.0;

This is the interface which I want to mirror:

mx80# show interfaces ge-1/0/2
description app3.igb0;
encapsulation ethernet-bridge;
unit 0 {
family bridge {
filter {
input mirror;
output mirror;
}
}
}

The filter, applied to both input and output of the above interface,
that calls to port-mirror:

mx80# show firewall family bridge filter mirror
term all {
then {
accept;
port-mirror;
}
}

When I do a ping from a host on the internet, outside the node, to the
IP address of the server that is connected to ge-1/0/1, I see the ping
being answered. On the analyzer connected to ge-1/3/2 I do a tcpdump and
I see only the ICMP echo reply:

15:53:04.415530 00:1b:21:84:d7:a6  80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 
x.x.x.226: ICMP echo reply, id 19022, seq 30, length 64
15:53:05.416447 00:1b:21:84:d7:a6  80:71:1f:c6:34:f0, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13 
x.x.x.226: ICMP echo reply, id 19022, seq 31, length 64

Why do I not see the ICMP request going out of the port, and only the reply?

The interesting thing is that I do see the ICMP request when I ping from
a host that is directly connected to the router, connected to a port
that is in the same bridge-domain as ge-1/0/2:

16:02:24.160278 00:1b:21:86:a5:22  00:1b:21:84:d7:a6, ethertype IPv4
(0x0800), length 98: x.x.x.5  x.x.x.13: ICMP echo request, id 16139,
seq 0, length 64
16:02:24.160391 00:1b:21:84:d7:a6  00:1b:21:86:a5:22, ethertype 802.1Q
(0x8100), length 102: vlan 100, p 2, ethertype IPv4, x.x.x.13  x.x.x.5:
ICMP echo reply, id 16139, seq 0, length 64

Note that the ICMP request is showing as untagged traffic, yet the reply
is in VLAN 100. On the router, ge-1/0/2 is in a bridge-domain with VLAN
id 100. No other ports have the 'mirror' filter applied.

Anybody ever done L2 port mirroring on an MX80 or have a clue as to why
the above is happening?

Thanks,

~paul


On 20/10/12 6:00 PM, juniper-nsp-requ...@puck.nether.net wrote:
 Date: Fri, 19 Oct 2012 17:07:42 -0400
 From: Chuck Anderson c...@wpi.edu
 To: juniper-nsp@puck.nether.net
 Subject: Re: [j-nsp] port mirror to multiple ports on MX80 in inet6
 Message-ID: 20121019210742.gn2...@angus.ind.wpi.edu
 Content-Type: text/plain; charset=us-ascii
 
 What I do is plug the monitor (output) port into a switch with a
 separate monitoring VLAN and then set the destination MAC address to
 an unknown one like 02:02:02:02:02:02--the switch will forward all the
 unknown traffic to all ports in the monitoring VLAN.  Works great with
 an EX4200 (on which I'm also using other ports for normal traffic):
 
 MX show configuration forwarding-options port-mirroring 
 input {
 rate 1;
 run-length 0;
 }
 family inet {
 output {
 interface ge-0/1/2.0 {
 next-hop 192.0.2.2;
 }
 }
 }
 family inet6 {
 output {
 interface ge-0/1/2.0 {
 next-hop 2001:0db8::2;
 }
 }
 }
 
 MX show configuration interfaces ge-0/1/2
 unit 0 {
 family inet {
 no-redirects;
 no-neighbor-learn;
 address 192.0.2.1/30 {
 arp 192.0.2.2 mac 02:02:02:02:02:02;
 }
 }
 family inet6 {
 no-neighbor-learn;
 address 2001:0db8::1/126 {
 ndp 2001:0db8::2 mac 02:02:02:02:02:02;
 }
 }
 }
 
 EX show configuration vlans MIRROR 
 vlan-id 2;
 
 EX show configuration interfaces ge-0/0/0
 description mirror from mx ge-0/1/2;
 unit 0 {
 family ethernet-switching {
 vlan {
 members 2;
 }
 }
 }
 
 EX show configuration interfaces ge-0/0/1
 description mirror to destination1;
 unit 0 {
 family ethernet-switching {
 vlan {
 members 2;
 }
 }
 }
 
 EX show configuration interfaces ge-0/0/2
 description mirror to destination2;
 unit 0 {
 family ethernet-switching {
 vlan {
 members 2;
 }
 }
 }
 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Alex,

On 19/10/12 7:33 AM, Alex Arseniev wrote:
 You could do cascaded PM. In a nutshell:
 1/ port-mirror original packet, send the original packet on its way
 2/ send the COPY into a loop (cable loop or looped tunnel)
 3/ take the looped COPY and mirror it once again, creating 2nd copy.
 4/ send 1st copy and 2nd copy on their respective ways.

The problem I see there is how do you configure the [ port-mirroring
family inet6 ] section with a different output interface on the second
run once you hit the port-mirror statement in the firewall rule.

forwarding-options {
port-mirroring {
family inet6 {
output {
interface ge-1/3/2.0 {
next-hop fdb5:1281:f3cf:c7c4::2;
}
no-filter-check;
}
}
}
}

Can you perhaps send me some example config on how to do this?

What strikes me is that the lack of next-hop-groups for inet6 feels like
a software limitation.

   ~paul




___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Alex Arseniev]

Have you tried PM instances?

- Original Message - 
From: Paul Vlaar p...@vlaar.net

To: Alex Arseniev alex.arsen...@gmail.com
Cc: juniper-nsp@puck.nether.net
Sent: Friday, October 19, 2012 9:49 AM
Subject: Re: [j-nsp] port mirror to multiple ports on MX80 in inet6



Alex,

On 19/10/12 7:33 AM, Alex Arseniev wrote:

You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.


The problem I see there is how do you configure the [ port-mirroring
family inet6 ] section with a different output interface on the second
run once you hit the port-mirror statement in the firewall rule.

forwarding-options {
   port-mirroring {
   family inet6 {
   output {
   interface ge-1/3/2.0 {
   next-hop fdb5:1281:f3cf:c7c4::2;
   }
   no-filter-check;
   }
   }
   }
}

Can you perhaps send me some example config on how to do this?

What strikes me is that the lack of next-hop-groups for inet6 feels like
a software limitation.

  ~paul






___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Chuck Anderson]

What I do is plug the monitor (output) port into a switch with a
separate monitoring VLAN and then set the destination MAC address to
an unknown one like 02:02:02:02:02:02--the switch will forward all the
unknown traffic to all ports in the monitoring VLAN.  Works great with
an EX4200 (on which I'm also using other ports for normal traffic):

MX show configuration forwarding-options port-mirroring 
input {
rate 1;
run-length 0;
}
family inet {
output {
interface ge-0/1/2.0 {
next-hop 192.0.2.2;
}
}
}
family inet6 {
output {
interface ge-0/1/2.0 {
next-hop 2001:0db8::2;
}
}
}

MX show configuration interfaces ge-0/1/2
unit 0 {
family inet {
no-redirects;
no-neighbor-learn;
address 192.0.2.1/30 {
arp 192.0.2.2 mac 02:02:02:02:02:02;
}
}
family inet6 {
no-neighbor-learn;
address 2001:0db8::1/126 {
ndp 2001:0db8::2 mac 02:02:02:02:02:02;
}
}
}

EX show configuration vlans MIRROR 
vlan-id 2;

EX show configuration interfaces ge-0/0/0
description mirror from mx ge-0/1/2;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}

EX show configuration interfaces ge-0/0/1
description mirror to destination1;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}

EX show configuration interfaces ge-0/0/2
description mirror to destination2;
unit 0 {
family ethernet-switching {
vlan {
members 2;
}
}
}



On Fri, Oct 19, 2012 at 12:45:40AM +0200, Paul Vlaar wrote:
 Hi, I've currently successfully gotten port mirroring setup to more than
 one port, using the following config:
 
 port-mirroring {
 family inet {
 output {
 next-hop-group default-collect;
 }
 }
 
 next-hop-group default-collect {
 group-type inet;
 interface ge-1/3/2.0 {
 next-hop 192.168.10.2;
 }
 interface ge-1/3/5.0 {
 next-hop 192.168.20.2;
 }
 }
 
 router show configuration interfaces ge-1/3/2
 unit 0 {
 family inet {
 address 192.168.10.1/30 {
 arp 192.168.10.2 mac 00:1b:21:86:a2:92;
 }
 }
 family inet6 {
 address fdb5:1281:f3cf:c7c4::1/64 {
 ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
 }
 }
 }
 
 router show configuration interfaces ge-1/3/5
 unit 0 {
 family inet {
 address 192.168.20.1/30 {
 arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
 }
 }
 family inet6 {
 address fd3d:122a:8541:ecb5::1/64 {
 ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
 }
 }
 }
 
 This works very nicely, I see traffic at both measurement hosts. I would
 like to do the same for IPv6, but there's no next-hop-group setting
 available:
 
 [edit forwarding-options port-mirroring family inet6 output]
 router# set ?
 Possible completions:
 + apply-groups Groups from which to inherit configuration data
 + apply-groups-except  Don't inherit configuration data from these groups
  interfaceInterfaces through which to send sampled traffic
   no-filter-check  Do not check for filters on port-mirroring interface
 [edit forwarding-options port-mirroring family inet6 output]
 
 This limitation is actually mentioned in the documentation, here:
 
 http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html
 
 Port mirroring supports up to 16 next hops, but there is no next-hop
 group support for inet6.
 
 However I was wondering perhaps someone knows if there's a trick to this
 using filter based forwarding? I can't really figure out how from the
 examples given.
 
 This is an MX80 on JunOS 11.2R3.3
 
 Thanks!
 
   ~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
family inet {
output {
next-hop-group default-collect;
}
}

next-hop-group default-collect {
group-type inet;
interface ge-1/3/2.0 {
next-hop 192.168.10.2;
}
interface ge-1/3/5.0 {
next-hop 192.168.20.2;
}
}

router show configuration interfaces ge-1/3/2
unit 0 {
family inet {
address 192.168.10.1/30 {
arp 192.168.10.2 mac 00:1b:21:86:a2:92;
}
}
family inet6 {
address fdb5:1281:f3cf:c7c4::1/64 {
ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
}
}
}

router show configuration interfaces ge-1/3/5
unit 0 {
family inet {
address 192.168.20.1/30 {
arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
}
}
family inet6 {
address fd3d:122a:8541:ecb5::1/64 {
ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
}
}
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
 interfaceInterfaces through which to send sampled traffic
  no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] port mirror to multiple ports on MX80 in inet6

[Paul Vlaar]

Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
family inet {
output {
next-hop-group default-collect;
}
}

next-hop-group default-collect {
group-type inet;
interface ge-1/3/2.0 {
next-hop 192.168.10.2;
}
interface ge-1/3/5.0 {
next-hop 192.168.20.2;
}
}

router show configuration interfaces ge-1/3/2
unit 0 {
family inet {
address 192.168.10.1/30 {
arp 192.168.10.2 mac 00:1b:21:86:a2:92;
}
}
family inet6 {
address fdb5:1281:f3cf:c7c4::1/64 {
ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
}
}
}

router show configuration interfaces ge-1/3/5
unit 0 {
family inet {
address 192.168.20.1/30 {
arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
}
}
family inet6 {
address fd3d:122a:8541:ecb5::1/64 {
ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
}
}
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
 interfaceInterfaces through which to send sampled traffic
  no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] port mirror to multiple ports on MX80 in inet6

[Alex Arseniev]

You could do cascaded PM. In a nutshell:
1/ port-mirror original packet, send the original packet on its way
2/ send the COPY into a loop (cable loop or looped tunnel)
3/ take the looped COPY and mirror it once again, creating 2nd copy.
4/ send 1st copy and 2nd copy on their respective ways.
HTH
Rgds
Alex


- Original Message - 
From: Paul Vlaar p...@vlaar.net

To: juniper-nsp@puck.nether.net
Sent: Thursday, October 18, 2012 11:45 PM
Subject: [j-nsp] port mirror to multiple ports on MX80 in inet6



Hi, I've currently successfully gotten port mirroring setup to more than
one port, using the following config:

port-mirroring {
   family inet {
   output {
   next-hop-group default-collect;
   }
   }

next-hop-group default-collect {
   group-type inet;
   interface ge-1/3/2.0 {
   next-hop 192.168.10.2;
   }
   interface ge-1/3/5.0 {
   next-hop 192.168.20.2;
   }
}

router show configuration interfaces ge-1/3/2
unit 0 {
   family inet {
   address 192.168.10.1/30 {
   arp 192.168.10.2 mac 00:1b:21:86:a2:92;
   }
   }
   family inet6 {
   address fdb5:1281:f3cf:c7c4::1/64 {
   ndp fdb5:1281:f3cf:c7c4::2 mac 00:1b:21:86:a2:92;
   }
   }
}

router show configuration interfaces ge-1/3/5
unit 0 {
   family inet {
   address 192.168.20.1/30 {
   arp 192.168.20.2 mac 00:1b:21:86:a3:9a;
   }
   }
   family inet6 {
   address fd3d:122a:8541:ecb5::1/64 {
   ndp fd3d:122a:8541:ecb5::2 mac 00:1b:21:86:a2:93;
   }
   }
}

This works very nicely, I see traffic at both measurement hosts. I would
like to do the same for IPv6, but there's no next-hop-group setting
available:

[edit forwarding-options port-mirroring family inet6 output]
router# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups

interfaceInterfaces through which to send sampled traffic

 no-filter-check  Do not check for filters on port-mirroring interface
[edit forwarding-options port-mirroring family inet6 output]

This limitation is actually mentioned in the documentation, here:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/services-configuring-port-mirroring.html

Port mirroring supports up to 16 next hops, but there is no next-hop
group support for inet6.

However I was wondering perhaps someone knows if there's a trick to this
using filter based forwarding? I can't really figure out how from the
examples given.

This is an MX80 on JunOS 11.2R3.3

Thanks!

~paul
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp