Pages

4/24/2012

Mirroring from multiple physical interfaces to one interface

How to port mirror from multiple physical interfaces (on multiple devices) to a server with single ethernet interface?

(updated 25th March 2013)
How to differentiate between port mirroring source? You can choose netflow or sflow for switches, but not all devices can handle as much as every packet - 1:1 packet rate. In my example, I have an SRX 210. Mirrored ports are trunk ports with native vlan configured. You may know it as hybrid port. Incoming packet with no vlan tag is assigned to particular vlan (vlan 10). Other packet must have particluar vlan tag (vlan 5, vlan 6) that is configured on switch port. I did not tested port mirror on Juniper EX switches but rather Avaya switches 5000 series. Juniper EX port mirror configuration is added.

Configuration of Juniper EX switch for this type of port

# show interfaces
 ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ 5 6 ];
            }
            native-vlan-id 10;
        }
    }

Port mirroring of TX and RX traffic on Juniper EX switch

# show ethernet-switching-options
analyzer myportmirror {
    loss-priority high;
    input {
        ingress {
            interface ge-0/0/20.0;
        }
        egress {
            interface ge-0/0/20.0;
        }
    }
    output {
        interface {
            ge-0/0/0.0;
        }
    }
}


Avaya ERS 5600 with firmware 6.2.x

port-mirroring mode Xrx monitor-port 1 mirror-port-X 2

vlan create 5-6,10 type port 1
vlan configcontrol flexible
vlan members 1 NONE
vlan members 5-6,10 2
vlan ports 2 pvid 10
vlan configcontrol strict

Scenario

We want to mirror traffic from two devices, for example switches, but have server with single interface for pcap.
1. Turn on port mirroring on two devices.
2. Connect SRX 210 port ge-0/0/1 to server and ports from that two devices  devices to port fe-0/0/4 and fe-0/0/5.
3. Configure 802.1ad (QinQ) on SRX so ge-0/0/1 trunk port is facing a backbone and fe-0/0/4, fe-0/0/5 is facing CE. Each port connected to switch has its own S-vlan. All tagged and untagged (C-vlan) packets will now have additional L2 header (S-vlan).



Diagram






SRX 210 Configuration

interfaces {
    ge-0/0/1 {
        description "port mirror";
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ port1 port2 ];
                }
            }
        }
    }
    fe-0/0/4 {
        description "Mirror 1";
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members port1;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Mirror 2";
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members port2;
                }
            }
        }
    }
}

# show vlans
port1 {
    vlan-id 1004;
    dot1q-tunneling;
}
port2 {
    vlan-id 1005;
    dot1q-tunneling;
}


To conserve MAC address table on SRX 210, disable MAC address learning on port, or vlans

ethernet-switching-options {
    interfaces {
        ge-0/0/1.0 {
            no-mac-learning;
        }
        fe-0/0/4.0 {
            no-mac-learning;
        }
        fe-0/0/5.0 {
            no-mac-learning;
        }
    }
}



I don't see a possibility to create firewall filter that drops incoming packet on port configured with family ethernet-switching.

Observing results. PC with Wireshark is connected to port ge-0/0/1. Please notice text under pictures.

Packet from fe-0/0/4, tagged to vlan 1004, packet was received untagged on fe-0/0/4.

Packet from fe-0/0/4, double tagged with additional vlan 1004, and original vlan 5.

Packet from fe-0/0/4, double tagged with additional vlan 1004, and original vlan 6. Difference between this and previous picture is vlan 6.

Mirrored port fe-0/0/5

Packet from fe-0/0/5, double tagged with additional vlan 1005, and original vlan 5.

Packet from fe-0/0/4, double tagged with additional vlan 1004, and original vlan 5.

Packet from fe-0/0/5, double tagged with additional vlan 1004, and original vlan 6. Difference between this and previous picture is vlan 6.

Note: You can see packets tagged with S-vlan as configured. Each port has its own S-vlan.

Bear in mind that packets received on server could be in wrong order because of SRX internal processing.

Jozef Klacko

References

Application note: J Series and branch SRX series ethernet switching configuration guide (pdf)
Avaya support documentation webpage: http://support.avaya.com/downloads/

Zverejnil o 3 comments:
Menovky: , , , , , , , , , ,

4/07/2012

Interface-range - IOS Vs Junos

To edit multiple interfaces at once. In config mode - IOS "(config)#", Junos "#"
Purpose IOS Junos
 go to multiple interfaces configuration (define range) interface range fastethernet0/1 – 9 set interfaces interface-range myshutdown-ed member ge-0/0/0
set interfaces interface-range myshutdown-ed member ge-0/0/1
... or
set interfaces interface-range myshutdown-ed member-range ge-0/0/0 to ge-0/0/9
... or
set interfaces interface-range myshutdown-ed member ge-0/0/[0-9]
apply some (e.g . shutdown) command to interface range shutdown set interfaces interface-range myshutdown-ed disable

showing configuration
use show or show interfaces interface-range myshutdown-ed

interfaces {
    interface-range myshutdown-ed {
        member "ge-0/0/0";
        member "ge-0/0/1";
        ...
        disable;
    }

... or

interfaces {
    interface-range myshutdown-ed {
        member-range ge-0/0/0 to ge-0/0/9;
        disable;
    }

... or 

interfaces {
    interface-range myshutdown-ed {
        member "ge-0/0/[0-9]";
        disable;
    }

How the configuration is actually applied
show interfaces | display inheritance | except #

ge-0/0/0 {
    disable;
}
ge-0/0/1 {
    disable;
}
...
ge-0/0/9 {
    disable;
}

or you can see from what is configuration applied (e.g. from interface-range or even from apply-groups

show interfaces | display inheritance

ge-0/0/0 {
    ##
    ## 'disable' was expanded from interface-range 'shutdown-ed'
    ##
    disable;
}
...

Junos: Don't forget to commit.

This contribution is also listed in forums.juniper.net - IOS to Junos (I2J) Tips Contest
Interface range - IOS Vs Junos
Zverejnil o No comments:
Menovky: , , , , , , ,

Cisco Flex Links vs. Juniper Redundant Trunk Group (RTG)

Hi,

Flex Links are much same as RTG (Redundant Trunk Group). It is mostly used when you want to avoid using Spanning Tree and on access switches connecting to two aggregation switches.
See a picture on page http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/cfm-redundant-trunk-groups-understanding.html

Requirements:
  • Juniper EX series switch with Junos 10.4 or later
  • Ports configured with family ethernet-switching
RTG ports could be "simple ports" like ge-0/0/0 or it could be also aggregated ingerfaces (ae0) with family ethernet-switching Primary and backup need not to be of same type. By setting aggregated interfaces "set interfaces ae0 aggregated-ethernet-options minimum-links X" you could specify when is aggregated interface treated like not working.


Go to configuration mode
cisco >configure terminal "Switch(conf)#
Juniper >configure "user@switch#"
Purpose IOS Junos
disable spanning tree on port Spanning tree is turned off automatically on flex links user@host# set protocols rstp interfaces ge-0/0/5 disable
user@host# set protocols rstp interfaces ge-0/0/6 disable
Set Flex Links / RTG Switch(conf)# interface gigabitethernet0/1
Switch(conf-if)# switchport backup interface gigabitethernet0/2		 user@host#  set ethernet-switching-options redundant-trunk-group group rtg1 interface ge-0/0/5.0 primary
user@host# set ethernet-switching-options redundant-trunk-group group rtg1 interface ge-0/0/6.0
Configure preemption (optional) "preemption modes: forced, bandwidth, off. For preempion to work, set forced or bandwidth."
Switch(conf-if)# switchport backup interface gigabitethernet0/2 preemption mode [forced | bandwidth ]
Switch(conf-if)# switchport backup interface gigabitethernet0/2 preemption delay 60		 "Change the length of time (from the default 120 seconds) that a re-enabled primary link waits to take over for an active secondary link."
user@host# set redundant-trunk-group group tg1 preempt-cutover-timer 60
Show Flex Link/RTG status Switch(conf-if)# exit
Switch(conf)# exit
Switch# show interface switchport backup
Switch# show interface switchport backup detail		 user@host# run show redundant-trunk-group
Save configuration / apply and save configuration Switch# copy running-config startup-config user@host# commit

This contribution is also listed in forums.juniper.net - IOS to Junos (I2J) Tips Contest
Flex Links vs RTG
Zverejnil o No comments:
Menovky: , , , , , , ,
Subscribe to: Posts (Atom)