Ethernet Switching
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
HendersonD
Contributor
HendersonD
Posts: 17
Registered: ‎07-17-2012
0

EX4500 port mirroring ?

Options

‎08-13-2012 09:41 AM

We currently have a Cisco 6509 core switch that is being replaced with a stack of two EX4500s. On our 6509 we have port mirroring setup using these statements:

Monitor session 1 source interface Gi4/45

Monitor session 1 destination interface Gi4/43 – 44

 

In essence we are sending all the traffic from my router (port 4/45) to a content filter (port 4/43) AND a network analyzer box (port 4/44). It appears that this type of port mirroring cannot be setup on the EX4500. In other words using the EX4500 I can send traffic from my router to my content filter OR my network analyzer box, but not both.

 

Is this correct?

Message 1 of 4 (453 Views)
 
Reply
Super Contributor
lyndidon
Posts: 393
Registered: ‎06-06-2011
0

Re: EX4500 port mirroring ? Hope this helps.

Options

‎08-13-2012 02:26 PM

Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

 

Restrictions on Layer 2 Port Mirroring

The following restrictions apply to Layer 2 port mirroring:

  • Only Layer 2 transit data (packets that contain chunks of data transiting the routing platform as they are forwarded from a source to a destination) can be mirrored. Layer 2 local data (packets that contain chunks of data that are destined for or sent by the Routing Engine, such as Layer 2 control packets) are not mirrored.
  • If you apply a port-mirroring filter to the output of a logical interface, only unicast packets are mirrored. To mirror broadcast packets, multicast packets, unicast packets with an unknown destination media access control (MAC) address, or packets with MAC entry in the destination MAC (DMAC) routing table, apply a filter to the input to the flood table of a bridge domain or virtual private LAN service (VPLS) routing instance.
  • The mirror destination device should be on a dedicated bridge domain and should not participate in any bridging activity: The mirror destination device should not have a bridge to the ultimate traffic destination, and the mirror destination device should not send the mirrored packets back to the source address.
  • For either the global port-mirroring instance or a named port-mirroring instance, you can configure only one mirror output interface per port-mirroring instance and packet address family. If you include more than one interface statement under the family (bridge | ccc | vpls) output statement, the previous interface statement is overridden.
  • Layer 2 port-mirroring firewall filtering is not supported for logical systems.

In a Layer 2 port-mirroring firewall filter definition, the filter action-modifier (port-mirror or port-mirror-instance pm-instance-name) relies on port-mirroring properties defined in the global instance or named instances of Layer 2 port mirroring, which are configured under the [edit forwarding-options port-mirroring] hierarchy. Therefore, the filter term cannot support Layer 2 port mirroring for logical systems.

  • For a Layer 2 port mirroring firewall filter in which you implicitly reference Layer 2 port mirroring properties by including the port-mirror statement, if multiple named instances of Layer 2 port mirroring are bound to the underlying physical interface, then only the first binding in the stanza (or the only binding) is used at the logical interface. This is done mainly for backward compatibility.
  • Layer 2 port-mirroring firewall filters do not support the use of next-hop subgroups for load-balancing mirrored traffic

 

You configure port mirroring in order to copy packets so that you can analyze traffic using a protocol analyzer application. You can mirror traffic entering or exiting an interface, or entering a VLAN. You can send the mirrored packets to a local interface to monitor traffic locally or to a VLAN to monitor traffic remotely.

We recommend that you disable port mirroring when you are not using it and select specific input interfaces in preference to using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter or the ratio keyword to mirror only a selection of packets.

 

Note: If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.

 

 

Note: Interfaces used as input or output for a port mirror analyzer must be configured as family ethernet-switching.

Configuring Port Mirroring for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:

  1. Choose a name for the port mirroring configuration—in this case, employee-monitor—and specify the input—in this case, packets entering ge-0/0/0 and ge-0/0/1:
    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor input ingress interface ge–0/0/0.0
    user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0
  2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch.

  1. Configure the destination interface for the mirrored packets:
    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
  2. commit

Configuring Port Mirroring for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

  1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this documentation:
    [edit]
    user@switch# set vlans remote-analyzer vlan-id 999
  2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
    [edit]
    user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
  3. Configure the analyzer:
    1. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee–monitor loss-priority high
    2. Specify the traffic to be mirrored—in this example the packets entering ports ge-0/0/0 and ge-0/0/1:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee–monitor input ingress interface ge-0/0/0.0
      user@switch# set analyzer employee–monitor input ingress interface ge-0/0/1.0
    3. Specify the remote-analyzer VLAN as the output for the analyzer:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor output vlan 999
  4. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
    [edit ethernet-switching-options]
    user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

  1. commit

Filtering the Traffic Entering a Port Mirroring Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer, then use it as the action in the firewall filter. You can use firewall filters in both local and remote port mirroring configurations.

If the same analyzer is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.

To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. The action of the firewall filter provides the input to the analyzer.

To configure port mirroring with filters:

  1. Configure the analyzer name and output:
    1. For local analysis, set the output to the local interface to which you will connect the computer running the protocol analyzer application:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
    2. For remote analysis, set the loss priority to high and set the output to the remote-analyzer VLAN:
      [edit ethernet-switching-options]
      user@switch#set analyzer employee–monitor loss-priority high output vlan 999
  2. Create a firewall filter using any of the available match conditions and specify the action as analyzer employee-monitor:

This example shows a firewall filter called example-filter, with two terms:

    1. Create the first term to define the traffic that should not pass through to the analyzer:
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term term-1 from match-condition1
      user@switch# set filter example-filter term term-1 from match-condition2
      user@switch# set filter example-filter term term-1 then accept
    2. Create the second term to define the traffic that should pass through to the analyzer:
      [edit firewall family ethernet-switching]
      user@switch# set filter example-filter term term-2 from match-condition3
      user@switch# set filter example-filter term term-2 then analyzer employee–monitor
  1. Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
    [edit]
    user@switch# set interfaces interface-name unit 0 family ethernet-switching filter input example-filter
    user@switch# set vlan vlan-name unit 0 family ethernet-switching filter input example-filter
  2. commit

 

[If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudos would be cool if you think I earned it.]
Message 2 of 4 (443 Views)
 
Reply
Super Contributor
lyndidon
Posts: 393
Registered: ‎06-06-2011
0

Re: EX4500 port mirroring ? Ouch! My apologies

Options

‎08-13-2012 02:33 PM

My response was too quick. Sorry the for overload...it could still help someone else anyway:smileyhappy:

But to answer your question, when you send output to the vlan, you should be able to connect your analyzer to one of the interfaces in that vlan and then to connect to other the other interfaces what ever you want. ". You can send the mirrored packets to a local interface to monitor traffic locally or to a VLAN to monitor traffic remotely"

It would seem like you can configure multiple analyzers and send them to where you desire. I am almost certain I read this a few weeks ago, but cannot remember where. If I find it, I will post it here later.

[If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudos would be cool if you think I earned it.]
Message 3 of 4 (442 Views)
 
Reply
Super Contributor
lyndidon
Posts: 393
Registered: ‎06-06-2011
0

Re: EX4500 port mirroring ? Additional info

Options

‎08-13-2012 03:40 PM

I found the following which seem to confirm your thoughts. Here is a suggestion, which i have no way of testing, but you could try mirroring to a vlan. Then the ports you have in that vlan, disable mac-address learning, essentially making them act as a hub, and connect one port to the analyzer and one to the content filter. I do not have the facilites to test it at this time. I hope this helps some way or another.

Limitations of Port Mirroring
Port mirroring on EX Series switches has the following limitations:

On an EX2200 switch, you cannot configure multiple VLANs (including a VLAN range or PVLANs) as ingress input to an analyzer.
On an EX2200, EX3200, EX4200, or EX4500 switch, you can enable only one analyzer (port mirroring configuration).
On EX8200 switches, you can configure seven analyzers (port mirroring configurations). Of these, one can be configured for input and output, the others only for output configured using firewall filters—the action of the firewall filters provides the input to the analyzers.
An analyzer configured using a firewall filter does not support mirroring of packets that are egressing ports.

Packets with physical layer errors are filtered out and thus are not sent to the analyzer port or analyzer VLAN.
You cannot mirror packets exiting or entering the following ports:

Dedicated Virtual Chassis ports (VCPs)
Management port (me0 or vme0)
Routed VLAN interfaces (RVIs) and VLAN-tagged L3 interfaces
On EX2200, EX3200, EX4200, and EX4500 switches, mirrored packets exiting a tagged interface might contain an incorrect VLAN ID and Ethertype.

[If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudos would be cool if you think I earned it.]
Message 4 of 4 (437 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.