Ethernet Switching
Ethernet Switching

Port mirroring // RSPAN with Juniper QFX switch as a transit switch

a month ago

Hello,

 

I have to implement port mirroring, with RSPAN to collect and monitor the traffic from a cisco switch (1) to another cisco switch (2).

But in between there's a Juniper QFX switch (the one I am calling the 'transit switch').

 

So my source will be a cisco switch (1) port, my rspan vlan is the vlan 35, then I'll go through the Juniper QFX, and the final destination is another cisco switch (2), from which I will collect the remote traffic.

 

I'd like to know what is the configuration to put in the QFX, so that it will be able to collect and forward that traffic from the interface ge-1/0/46 [input interface connected to the cisco (1)]  to the interface ge-0/0/9 [output interface connected to the cisco (2)].

The traffic will be transfered in a vlan trunk, with many vlans, and I'd like to collect the traffic from the vlan 35 only.

 

 

     CISCO (1)                                                                           JUNIPER QFX                                                                     CISCO (2)

 

RSPAN VLAN 35      =trunk vlan35=>  int ge-1/0/46  RSPAN VLAN 35(?)   int ge-0/0/9  =trunk vlan35=>     RSPAN VLAN 35

 

 

 

Thanks for your help!

6 REPLIES 6
Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

a month ago
Hi RyRy_G,

Yes simply trunking the required VLAN should work like any other traffic because the contents are transparent to the QFX. Only other thing I could think of is if you have any firewall filter applied on the QFX interfaces, allow required IP/port fields. Else we should be good.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

a month ago

Hi schoberw,

 

 

Greetings, this is possible here is a sample of the configuration that would do the job:

 

Configuring Port Mirroring for Remote Traffic Analysis (ELS)
To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:

[edit]
user@switch# set vlans remote-analyzer vlan-id 999
Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:

[edit]
user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
Configure the analyzer. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
[edit forwarding-options]
user@switch# set analyzer employee-monitor loss-priority high
Specify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:

[edit forwarding-options]
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0
user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0
Specify the remote-analyzer VLAN as the output for the analyzer:

[edit forwarding-options]
user@switch#set analyzer employee-monitor output vlan 999
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit forwarding-options]
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

 

Source: https://kb.juniper.net/InfoCenter/index?page=content&id=KB10878&cat=SWITCH_PRODUCTS&actp=LIST

 

If you are missing some traffic or you need this traffic to be untagged  please use this knob: no-tag

e.i

 

set forwarding-options analyzer PAN-Test output vlan 999 no-tag

 

If you are trying another variation, please check the for RSPAN limitations:

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-mirroring-limitatio...

 

 


If you are using Wireshark as the analyzer software you might get the packets marked as ERSPAN which Wireshark reports them as fake ERSPAN.


> you can decode the following.
> -----------------------------------
> select menu:
> Edit -> preferences -> protocol -> ERSPAN
>
> Check:
> "FORCE to decade fake ERSPAN frame:".
> you can decode the following.
> -----------------------------------
> select menu:
> Edit -> preferences -> protcol -> ERSPAN
>
> Check:
> "FORCE to decade fake ERSPAN frame:".

 

 

Regards,
Lil Dexx JNCIE-ENT#863

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \Smiley Happy/

 

 

 

 

Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

a month ago

Hello!

 

Thanks for the reply!

I found something that seems to be good to put into the QFX configuration:

 

set vlans remote-analyzer vlan-id 999
set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunk
set vlans remote-analyzer interface ge-0/0/46
set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
set vlans remote-analyzer interface ge-0/0/9
set vlans remote-analyzer no-mac-learning

 

What do you think about it? 

I think you can't only 'spread' the vlan traffic as a simple vlan trunk, you have to specify that it's a 'RSPAN vlan' (just like in cisco's configuration), hence the 'set vlans remote-analyzer vlan-id 999' configuration line.

 

Unfortunately, I can't let you know briefly if it's working, because I have no lab to test this configuration!

 

Thank you for your help again!

Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

3 weeks ago

Hi RyRy_G

 

Your understanding is correct, the RSPAN vlan needs to be enabled so you can pass your “mirror traffic” across switches , make sure is enabled in all links along the path up to your PC running wireshark.

 

set vlans remote-analyzer vlan-id 999

set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunk

set vlans remote-analyzer interface ge-0/0/46

set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk

set vlans remote-analyzer interface ge-0/0/9

set vlans remote-analyzer no-mac-learning     >>>>>>>> this will only flood the traffic through it.

 

I have no way to test it unfortunately, my apologize, but i think it should work that way.

 

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.

Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

3 weeks ago

Hello I tried this method but it doesn't work through a 'simple' trunk'.

You have to use the trunk but also to configure a analyzer, to set the input vlan and the another different output vlan.

 

set vlans VLAN_RSPAN vlan-id 36

 

set interfaces ge-0/0/46 unit 0 family ethernet-switching interface-mode trunk

set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members 36

 

set vlans VLAN_JUNIPER_CISCO vlan-id 37

 

set interfaces ge-0/0/40 unit 0 family ethernet-switching interface-mode trunk

set interfaces ge-0/0/40 unit 0 family ethernet-switching vlan members 37

 

show vlans brief

Routing instance VLAN name Tag Interfaces
default-switch VLAN_JUNIPER_CISCO 37
ge-0/0/40.0*
default-switch VLAN_RSPAN 36
ge-0/0/46.0*
default-switch default 1

 

show forwarding-options analyzer TEST_RSPAN

Analyzer name : TEST_RSPAN
Mirror rate : 1
Maximum packet length : 0
State : up
Ingress monitored interfaces : ge-0/0/46.0
Ingress monitored VLANs : default-switch/VLAN_RSPAN
Output VLAN : default-switch/VLAN_JUNIPER_CISCO

 

show forwarding-options analyzer TEST_RSPAN | display set

set forwarding-options analyzer TEST_RSPAN input ingress interface ge-0/0/46.0

set forwarding-options analyzer TEST_RSPAN input ingress vlan VLAN_RSPAN

set forwarding-options analyzer TEST_RSPAN output vlan VLAN_JUNIPER_CISCO

 

Then you have to make a trunk with vlan 37 between the QFX and the Cisco router to which you want to spread and send the monitoring stream.

 

I did this in my lab at work, and it is working!

 

Smiley Wink

 

 

Ethernet Switching

Re: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

3 weeks ago

Hi RyRy,

 

I would just create a dummy VLAN on the 'transit' QFX and disable MAC learning on that VLAN so traffic that ingresses is flooded out the ports of that VLAN, be careful, you would only need this 'dummy' VLAN on two ports, be sure not to flood the traffic on all ports by mistake. with that logic you can put any trasit device with similar configuration.

 

To disable MAC learning in a VLAN:

[edit]
user@switch# edit ethernet-switching-options interfaces xe-0/0/0.0

[edit ethernet-switching-options interfaces xe-0/0/0.0]
user@switch# set no-mac-learning

 

Regards, 

Benjamin