Ethernet Switching
Ethernet Switching

EX4600 Virtual CHassis and port mirroring

2 weeks ago

Experiencing issues with getting port mirroring to function properly on a EX4600 virtual chassis, as our core.  JUNOS is last recommended.  JTAC says configuration is good, but still we have no solution.

We have a Secure Onion server, 2 NIC's 10G interfaces.  We've done serveral different configurations, but not much luck.

We've created  an analyzer for each NIC, one per switch, using ae interfaces [trunks from multiple IDF's connected to the core] in the configuration.  No luck.

We tried individual interfaces, instead of the ae interfaces.  Still no luck.

We reduced the analayzers to only one for the entire VC, and it only sees one server interface, which happens to be the only Access interface.

 

The infosec goal is to see Everything across the Core, from all interfaces. 

 

Anyone successful with a VC, and dual NIC spans/mirroring in place ? 

2 REPLIES 2
Ethernet Switching

Re: EX4600 Virtual CHassis and port mirroring

2 weeks ago

Since JTAC has verified your span configuration, the next step is to confirm if the packets are being sent to the span port or not.

 

Can you connect a device with wireshark directly to the span port and capture what traffic is egressing the port?

 

If there is no span traffic then you have the information to escalate with JTAC to find the Junos software bug or configuration error.

 

If there is span traffic on the port you have the packet capture evidence to take to the secure onion team to see why they can't process the traffic.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: EX4600 Virtual CHassis and port mirroring

2 weeks ago

Hi jmorrowCSTR,

 

Yep, it is working on a EX4600 VC (mixed in my case so the interface you see below would be on the EX4300s). Have not try on an AE interface. If you share your configuration and software version, i could probably run it in the lab.

analyzer {
    analyzer-1 {
        input {
            ingress {
                interface ge-3/0/13.0;
            }
            egress {
                interface ge-3/0/13.0;
            }
        }
        output {
            interface ge-4/0/16.0;
        }
    }
    analyzer-2 {
        input {
            ingress {
                vlan VLAN999;
            }
        }
        output {
            interface ge-4/0/17.0;
        }
    }
}

You also have to remember to define the interface that you are spanning to, without this it will not work

> show configuration interfaces ge-4/0/17
unit 0 {
    description "mirror port to Wireshark";
    family ethernet-switching;
}